USN-5199-1: Python vulnerabilities

Packages

python3.6 - An interactive high-level object-oriented language

Details

It was discovered that the urllib.request.AbstractBasicAuthHandler class
in Python contains regex with a quadratic worst-case time complexity.
Specially crafted traffic from a malicious HTTP server could cause a regular
expression denial of service (ReDoS) condition for a client.
(CVE-2021-3733)

It was discovered that the Python urllib http client could enter into an infinite
loop when incorrectly handling certain server responses (100 Continue response).
Specially crafted traffic from a malicious HTTP server could cause a denial of
service (DoS) condition for a client.
(CVE-2021-3737)

It was discovered that the urllib.request.AbstractBasicAuthHandler class
in Python contains regex with a quadratic worst-case time complexity.
Specially crafted traffic from a malicious HTTP server could cause a regular
expression denial of service (ReDoS) condition for a client.
(CVE-2021-3733)

It was discovered that the Python urllib http client could enter into an infinite
loop when incorrectly handling certain server responses (100 Continue response).
Specially crafted traffic from a malicious HTTP server could cause a denial of
service (DoS) condition for a client.
(CVE-2021-3737)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

Ubuntu Release	Package Version
18.04 bionic	libpython3.6-stdlib – 3.6.9-1~18.04ubuntu1.6
	python3.6 – 3.6.9-1~18.04ubuntu1.6
	python3.6-minimal – 3.6.9-1~18.04ubuntu1.6

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

Packages

Details

Update instructions

Reduce your security exposure

References

Related notices