MGASA-2021-0435

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0435.html

Import Source

https://advisories.mageia.org/MGASA-2021-0435.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0435

Related

Published

2021-09-23T04:49:29Z

Modified

2021-09-23T04:05:10Z

Summary

Updated python3 packages fix security vulnerability

Details

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 âBillion Laughsâ vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inetaton() treats leading zeros as octal notation. glibc implementation of modern inetpton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

It was discovered that Python incorrectly handled certain RFCs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 ESM. (CVE-2021-3733)

It was discovered that Python incorrectly handled certain server responses. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-3737)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / python3

Package

Name: python3
Purl: pkg:rpm/mageia/python3?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.12-1.mga8

Ecosystem specific

{
    "section": "core"
}