USN-5199-1

Source

https://ubuntu.com/security/notices/USN-5199-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-5199-1.json

Related

Published

2021-12-17T14:53:00.335664Z

Modified

2021-12-17T14:53:00.335664Z

Details

It was discovered that the urllib.request.AbstractBasicAuthHandler class in Python contains regex with a quadratic worst-case time complexity. Specially crafted traffic from a malicious HTTP server could cause a regular expression denial of service (ReDoS) condition for a client. (CVE-2021-3733)

It was discovered that the Python urllib http client could enter into an infinite loop when incorrectly handling certain server responses (100 Continue response). Specially crafted traffic from a malicious HTTP server could cause a denial of service (DoS) condition for a client. (CVE-2021-3737)

References

Affected packages

Ubuntu:18.04:LTS / python3.6

Package

Name: python3.6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.6.9-1~18.04ubuntu1.6

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "python3.6-minimal": "3.6.9-1~18.04ubuntu1.6",
            "idle-python3.6": "3.6.9-1~18.04ubuntu1.6",
            "python3.6-examples": "3.6.9-1~18.04ubuntu1.6",
            "python3.6-dev": "3.6.9-1~18.04ubuntu1.6",
            "python3.6": "3.6.9-1~18.04ubuntu1.6",
            "libpython3.6": "3.6.9-1~18.04ubuntu1.6",
            "libpython3.6-stdlib": "3.6.9-1~18.04ubuntu1.6",
            "libpython3.6-dev": "3.6.9-1~18.04ubuntu1.6",
            "python3.6-venv": "3.6.9-1~18.04ubuntu1.6",
            "libpython3.6-testsuite": "3.6.9-1~18.04ubuntu1.6",
            "python3.6-doc": "3.6.9-1~18.04ubuntu1.6",
            "libpython3.6-minimal": "3.6.9-1~18.04ubuntu1.6"
        }
    ]
}