1 |
type: security |
2 |
subject: Updated python3 packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2018-14647 |
5 |
- CVE-2018-20406 |
6 |
- CVE-2019-5010 |
7 |
- CVE-2019-9636 |
8 |
src: |
9 |
6: |
10 |
core: |
11 |
- python3-3.5.7-1.mga6 |
12 |
description: | |
13 |
Python's elementtree C accelerator failed to initialise Expat's hash salt |
14 |
during initialization. This could make it easy to conduct denial of service |
15 |
attacks against Expat by contructing an XML document that would cause |
16 |
pathological hash collisions in Expat's internal data structures, consuming |
17 |
large amounts CPU and RAM (CVE-2018-14647). |
18 |
|
19 |
Modules/_pickle.c in Python before 3.5.7 has an integer overflow via a large |
20 |
LONG_BINPUT value that is mishandled during a "resize to twice the size" |
21 |
attempt. This issue might cause memory exhaustion, but is only relevant if |
22 |
the pickle format is used for serializing tens or hundreds of gigabytes of |
23 |
data |
24 |
(CVE-2018-20406). |
25 |
|
26 |
A null pointer dereference vulnerability was found in the certificate |
27 |
parsing code in Python. This causes a denial of service to applications when |
28 |
parsing specially crafted certificates. This vulnerability is unlikely to be |
29 |
triggered if application enables SSL/TLS certificate validation and accepts |
30 |
certificates only from trusted root certificate authorities (CVE-2019-5010). |
31 |
|
32 |
A vulnerability was found in Python 3.x through 3.5.7. An improper Handling |
33 |
of Unicode Encoding (with an incorrect netloc) during NFKC normalization could |
34 |
lead to an Information Disclosure (credentials, cookies, etc. that are cached |
35 |
against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse |
36 |
components. A specially crafted URL could be incorrectly parsed to locate |
37 |
cookies or authentication data and send that information to a different host |
38 |
than when parsed correctly (CVE-2019-9636). |
39 |
|
40 |
The python3 package has been updated to version 3.5.7, fixing these and other |
41 |
issues. |
42 |
references: |
43 |
- https://bugs.mageia.org/show_bug.cgi?id=23664 |
44 |
- https://pythoninsider.blogspot.com/2019/03/python-3.html |
45 |
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/ |
46 |
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/ |
47 |
ID: MGASA-2019-0135 |