Debian Security Advisory
DLA-2808-1 python3.5 -- LTS security update
- Date Reported:
- 05 Nov 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-3733, CVE-2021-3737.
- More information:
There were a couple of vulnerabilites found in src:python3.5, the Python interpreter v3.5, and are as follows:
The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a
100 ContinueHTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.
For Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u5.
We recommend that you upgrade your python3.5 packages.
For the detailed security status of python3.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.5
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS