An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010 https://bugs.python.org/file48052/TALOS-2019-0758.txt https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html Test: $ wget -q https://raw.githubusercontent.com/python/cpython/master/Lib/test/talos-2019-0758.pem $ python3 Python 3.4.8 (default, May 11 2018, 23:17:39) [GCC 6.4.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> ssl._ssl._test_decode_cert('talos-2019-0758.pem') Segmentation fault
Ok, so it seems that the following versions contain a fix: 2.7: 2.7.16 3.4: 3.4.10 3.5: 3.5.7 3.6: next (no rc yet) 3.7: 3.7.3rc1 (no final yet)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ece98412e59349f1f485d5bd83919eb7d3f3e58 commit 8ece98412e59349f1f485d5bd83919eb7d3f3e58 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 12:44:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 12:44:07 +0000 dev-lang/python: Sec-bump to 3.5.7 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++ 2 files changed, 369 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649 commit 4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 13:22:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 13:38:36 +0000 dev-lang/python: Sec-bump to 3.4.10 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.4.10.ebuild | 363 +++++++++++++++++++++++++++++++++++ 2 files changed, 364 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6708701fec5c9f09ddf47fafefefc344e87bc98b commit 6708701fec5c9f09ddf47fafefefc344e87bc98b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 12:44:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 13:38:36 +0000 dev-lang/python: Sec-bump to 3.5.7 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++ 2 files changed, 369 insertions(+)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Well, I don't see a reason not to stabilize the new versions but it'd probably make sense to wait for all branches to be released.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-29 12:27:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-29 12:59:12 +0000 dev-lang/python: Bump to 3.7.3 Bug: https://bugs.gentoo.org/676700 Bug: https://bugs.gentoo.org/680298 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++ 2 files changed, 327 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9 commit 1cd1842cd013485101789106c7b25c8999cff9e9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-07-14 12:46:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-07-14 12:48:20 +0000 dev-lang/python: Bump to 3.6.9 Bug: https://bugs.gentoo.org/689822 Bug: https://bugs.gentoo.org/680246 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+)
We should probably wait for 2.7.17 and 3.5.8 to address all other Python bugs in one stabilization.
All affected versions should be gone now.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi).