- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3966-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
November 26, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pypy3
Version        : 7.3.5+dfsg-2+deb11u4
CVE ID         : CVE-2020-10735 CVE-2020-29651 CVE-2021-3737 CVE-2021-28861 
                 CVE-2022-0391 CVE-2022-45061 CVE-2023-27043 CVE-2024-9287

Multiple vulnerabilities have been fixed in pypy3, an alternative
implementation of the Python 3.x language.

CVE-2020-10735

    A flaw was found in Python. In algorithms with quadratic time
    complexity using non-binary bases, when using int("text"), a system
    could take 50ms to parse an int string with 100,000 digits and 5s
    for 1,000,000 digits (float, decimal, int.from_bytes(), and int()
    for binary bases 2, 4, 8, 16, and 32 are not affected). The highest
    threat from this vulnerability is to system availability.

CVE-2020-29651

    A denial of service via regular expression in the py.path.svnwc
    component of py (aka python-py) through 1.9.0 could be used by
    attackers to cause a compute-time denial of service attack by
    supplying malicious input to the blame functionality.
    python-py is a part of the pypy3 distribution.

CVE-2021-3737

    A flaw was found in Python. An improperly handled HTTP response in the
    HTTP client code of Python may allow a remote attacker, who controls
    the HTTP server, to make the client script enter an infinite loop,
    consuming CPU time. The highest threat from this vulnerability is
    to system availability.

CVE-2021-28861

    Python has an open redirection vulnerability in lib/http/server.py
    due to no protection against multiple (/) at the beginning of URI
    path which may leads to information disclosure.
    NOTE: this is disputed by a third party because the http.server.html
    documentation page states "Warning: http.server is not recommended
    for production. It only implements basic security checks."

CVE-2022-0391

    A flaw was found in Python within the urllib.parse module. This
    module helps break Uniform Resource Locator (URL) strings into
    components. The issue involves how the urlparse method does not
    sanitize input and allows characters like '\r' and '\n' in the URL
    path. This flaw allows an attacker to input a crafted URL, leading
    to injection attacks.

CVE-2022-45061

    An unnecessary quadratic algorithm exists in one path when processing
    some inputs to the IDNA (RFC 3490) decoder, such that a crafted,
    unreasonably long name being presented to the decoder could lead to a
    CPU denial of service. Hostnames are often supplied by remote servers
    that could be controlled by a malicious actor; in such a scenario,
    they could trigger excessive CPU consumption on the client attempting
    to make use of an attacker-supplied supposed hostname. For example,
    the attack payload could be placed in the Location header of an HTTP
    response with status code 302.

CVE-2023-27043

    The email module of Python incorrectly parses e-mail addresses that
    contain a special character. The wrong portion of an RFC2822 header
    is identified as the value of the addr-spec. In some applications,
    an attacker can bypass a protection mechanism in which application
    access is granted only after verifying receipt of e-mail to a
    specific domain (e.g., only @company.example.com addresses may
    be used for signup). This occurs in email/_parseaddr.py.

CVE-2024-9287

    A vulnerability has been found in the `venv` module and CLI where
    path names provided when creating a virtual environment were not
    quoted properly, allowing the creator to inject commands into virtual
    environment "activation" scripts (ie "source venv/bin/activate"). This
    means that attacker-controlled virtual environments are able to
    run commands when the virtual environment is activated. Virtual
    environments which are not created by an attacker or which aren't
    activated before being used (ie "./venv/bin/python") are not
    affected.v

For Debian 11 bullseye, these problems have been fixed in version
7.3.5+dfsg-2+deb11u4.

We recommend that you upgrade your pypy3 packages.

For the detailed security status of pypy3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pypy3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3966-1: pypy3 Security Advisory Updates

November 26, 2024
Multiple vulnerabilities have been fixed in pypy3, an alternative implementation of the Python 3.x language

Summary

CVE-2020-10735

A flaw was found in Python. In algorithms with quadratic time
complexity using non-binary bases, when using int("text"), a system
could take 50ms to parse an int string with 100,000 digits and 5s
for 1,000,000 digits (float, decimal, int.from_bytes(), and int()
for binary bases 2, 4, 8, 16, and 32 are not affected). The highest
threat from this vulnerability is to system availability.

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc
component of py (aka python-py) through 1.9.0 could be used by
attackers to cause a compute-time denial of service attack by
supplying malicious input to the blame functionality.
python-py is a part of the pypy3 distribution.

CVE-2021-3737

A flaw was found in Python. An improperly handled HTTP response in the
HTTP client code of Python may allow a remote attacker, who controls
the HTTP server, to make the client script enter an infinite loop,
consuming CPU time. The h...

Read the Full Advisory


Severity
Package : pypy3
Version : 7.3.5+dfsg-2+deb11u4
CVE ID : CVE-2020-10735 CVE-2020-29651 CVE-2021-3737 CVE-2021-28861

Related News

Linux 6.11 EOL: Upgrade to 6.12 for Security and Performance Benefits
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Census III Report: Key Strategies for Linux Security Enhancement
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
Qt 6.8.1: Essential Fixes for Wayland and Security Issues
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Arch Linux 2024.12.01: Improved Hardware Support and Security Features
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Linux Kernel 6.13: Security Updates Enhance System Resilience
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Protect Linux Systems from Bootkitty: UEFI Bootkit Defense Strategies
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved