Python: Denial of Service — GLSA 202005-09

A vulnerability in Python could lead to a Denial of Service condition.

Affected packages

dev-lang/python on all architectures
Affected versions < 2.7.18
< 3.6.10-r2
< 3.7.7-r2
< 3.8.2-r2
Unaffected versions >= 2.7.18
>= 3.6.10-r2
>= 3.7.7-r2
>= 3.8.2-r2

Background

Python is an interpreted, interactive, object-oriented programming language.

Description

An issue was discovered in urllib.request.AbstractBasicAuthHandler which allowed a remote attacker to send malicious data causing extensive regular expression backtracking.

Impact

An attacker could cause a possible Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Python 2.7 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.18:2.7"
 

All Python 3.6 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.10-r2:3.6"
 

All Python 3.7 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.7-r2:3.7"
 

All Python 3.8 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.2-r2:3.8"
 

References

Release date
May 14, 2020

Latest revision
May 14, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries