Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-8492 (https://nvd.nist.gov/vuln/detail/CVE-2020-8492): Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
So apparently 3.8.2 is the only good version now.
Hmm, no, apparently the CVE didn't account for 3.8.2. Upstream did not merge a fix yet ;-/.
(In reply to Michał Górny from comment #3) > Hmm, no, apparently the CVE didn't account for 3.8.2. Upstream did not > merge a fix yet ;-/. Patched in 2.7.18: https://github.com/python/cpython/commit/e6499033032d5b647e43a3b49da0c1c64b151743 3.6: https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e 3.7: https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e 3.8: https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41 master (3.9?): https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 PR: https://github.com/python/cpython/pull/18284
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d0962541c4227d11c9fbcc5373104676680859f commit 4d0962541c4227d11c9fbcc5373104676680859f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:20:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:28 +0000 dev-lang/python: Backport secfixes to 3.9.0a5, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-3.9.0_alpha5-r1.ebuild | 329 ++++++++++++++++++++++++++ 2 files changed, 331 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d24d55c6519197b1f7f70c9233aac9d06823a0cc commit d24d55c6519197b1f7f70c9233aac9d06823a0cc Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:16:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:26 +0000 dev-lang/python: Backport secfixes to 3.8.2, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 +- dev-lang/python/python-3.8.2-r2.ebuild | 348 +++++++++++++++++++++++++++++++++ 2 files changed, 349 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84738a6394aa497ed0cc14c1cca27cf2f3a42030 commit 84738a6394aa497ed0cc14c1cca27cf2f3a42030 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:11:25 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:25 +0000 dev-lang/python: Backport secfixes to 3.7.7, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.7.7-r2.ebuild | 345 +++++++++++++++++++++++++++++++++ 2 files changed, 346 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f79755dbf44b79c2f5b99e9f3258b656d2d99ebb commit f79755dbf44b79c2f5b99e9f3258b656d2d99ebb Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 11:57:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:24 +0000 dev-lang/python: Backport secfixes to 3.6.10, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.10-r2.ebuild | 359 ++++++++++++++++++++++++++++++++ 2 files changed, 360 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca57e96ecbcd060e4f70aa24ccd83470ccb8a434 commit ca57e96ecbcd060e4f70aa24ccd83470ccb8a434 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 11:33:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:23 +0000 dev-lang/python: Bump to 2.7.18 Bug: https://bugs.gentoo.org/707822 Closes: https://bugs.gentoo.org/716332 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-2.7.18.ebuild | 366 +++++++++++++++++++++++++++++++++++ 2 files changed, 368 insertions(+)
amd64 stable
arm stable
x86 stable
arm64 stable
s390 stable
ppc stable
ppc64 stable
This issue was resolved and addressed in GLSA 202005-09 at https://security.gentoo.org/glsa/202005-09 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup and remaining architectures.
@hppa, sparc: ping
sparc stable
hppa stable
@maintainer(s), please cleanup
Cleanup was done here.
Unable to check for sanity: > no match for package: dev-lang/python-2.7.18
tree is clean https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9