Description: "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created." Bug: https://bugs.python.org/issue41004 PR: https://github.com/python/cpython/pull/20956
Another vulnerability has been reported. "Email module incorrect handling of CR and LF newline characters in Address objects." Bug: https://bugs.python.org/issue39073 Python 3.6 patch: https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90 Python 3.7 patch: https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb Python 3.8 patch: https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
Both are resolved in 3.9.0b4. Both are queued for 3.8.4 final, I'll backport them in the meantime. CRLF bug is fixed already in 3.7.8 and 3.6.11, I'll backport the ipaddress fix. ipaddress does not exist in 2.7, and the relevant email class doesn't seem to exist either.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3095f51cda2c13d8289c53966bd9f4ac354e5d73 commit 3095f51cda2c13d8289c53966bd9f4ac354e5d73 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-04 19:49:43 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-04 19:50:56 +0000 dev-lang/python: Backport CVE-2020-14422 & emailaddr CRLF fixes Bug: https://bugs.gentoo.org/728668 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 6 +++--- dev-lang/python/{python-3.6.11.ebuild => python-3.6.11-r1.ebuild} | 2 +- dev-lang/python/{python-3.7.8.ebuild => python-3.7.8-r1.ebuild} | 2 +- dev-lang/python/{python-3.8.3.ebuild => python-3.8.3-r1.ebuild} | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-)
amd64 done
ppc64 stable
sparc stable
ppc stable
x86 stable
arm64 stable
arm stable
s390 stable
Fixed versions: * dev-lang/python-3.6.11-r1 * dev-lang/python-3.7.8-r1 * dev-lang/python-3.8.3-r1 Python 2.x unclear if affected. Finishing stabilisation in bug 732498.
Unable to check for sanity: > dependent bug #732498 is missing keywords
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9 commit b6b56771127f16adedc71c66627bd4a5b7804af9 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-02 02:45:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-02 02:46:01 +0000 dev-lang/python: drop vulnerable Bug: https://bugs.gentoo.org/732498 Bug: https://bugs.gentoo.org/728668 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-lang/python/Manifest | 12 -- dev-lang/python/python-2.7.18.ebuild | 366 -------------------------------- dev-lang/python/python-3.6.10-r2.ebuild | 357 ------------------------------- dev-lang/python/python-3.6.11-r1.ebuild | 357 ------------------------------- dev-lang/python/python-3.7.7-r2.ebuild | 343 ------------------------------ dev-lang/python/python-3.7.8-r1.ebuild | 343 ------------------------------ dev-lang/python/python-3.8.2-r2.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.3-r1.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.4.ebuild | 346 ------------------------------ 9 files changed, 2816 deletions(-)
Unable to check for sanity: > no match for package: dev-lang/python-3.6.11-r1
This issue was resolved and addressed in GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01 by GLSA coordinator Sam James (sam_c).
(hppa did the newer bug).
