[SECURITY] [DLA 2808-1] python3.5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2808-1] python3.5 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Fri, 5 Nov 2021 14:51:01 +0530
Message-id: <[🔎] CAPP0f96LeaVEEW3WUd20O6YP9-6h82z+_T90A19mGP669A7=bQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2808-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 05, 2021                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : python3.5
Version        : 3.5.3-1+deb9u5
CVE ID         : CVE-2021-3733 CVE-2021-3737

There were a couple of vulnerabilites found in src:python3.5, the
Python interpreter v3.5, and are as follows:

CVE-2021-3733

    The ReDoS-vulnerable regex has quadratic worst-case complexity
    and it allows cause a denial of service when identifying
    crafted invalid RFCs. This ReDoS issue is on the client side
    and needs remote attackers to control the HTTP server.

CVE-2021-3737

    HTTP client can get stuck infinitely reading len(line) < 64k
    lines after receiving a '100 Continue' HTTP response. This
    could lead to the client being a bandwidth sink for anyone
    in control of a server.

For Debian 9 stretch, these problems have been fixed in version
3.5.3-1+deb9u5.

We recommend that you upgrade your python3.5 packages.

For the detailed security status of python3.5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmGE91YACgkQgj6WdgbD
S5ZsnxAAoEFosIPsuX+nap3OWWWS4mFqwPlB4/yyykzezeJQgsBl0qJonYkfzcQ6
8W801G2Ouh4fyuT07xUEey+T8ZP4vFV3KidlsKAnmXXZfu+875+JSSvOcRsU8f+S
kf5/DlI7GNtNyuY8zN2IKb8oy2abkhl5TkLptun3m+krnc7SWPM/zF5qSjIXQS3b
3a3mSshFGZgP+IOXOr1FJGdo9FkuuZEaDeuOlyiOJ+Q1zzlb5raKeuNZuQNpWF8K
RM9t2tWHffojB2aK2tDHFhOfH/sfj5tOAYR1iWSBuHPpzGWRSwECRsAYI0ZIQz2q
18ufdZDCEOqnpCIg4eGUNbCTa7A9Blm5N0NOL9yeec86WkqDgVgznd65H+HVu4Uk
TTapvPsA537V/yPdiOy74KIQo1E4RlP3so5FI2RJY0kY5JR7QwJP3X5isI4X96DP
r6xOmTRmWowphSR9MxE6lYM9XNXaIGg8LlZ9J5G8MFeDu5EkEchdzM6I4oxCHrhE
NDX6NL6jRljeecgpPDi0eJ09dIhIWbS/MmK0TAWGqBclgz++FCdZ0yuE2+kxgThV
J7BpR9Sk2Irx0W0wIpvQAD1sUH0CPsmpsri6K4Q4HGMPpMiAMF+WDXJ+JwAxX/b2
uGJkbJKdXVBvdmFrrPs2VLmQVuJVwS6y2zAlLZXFMbFg8kNgWuk=
=uvu/
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2809-1] udisks2 security update
Next by Date: [SECURITY] [DLA 2810-1] redis security update
Previous by thread: [SECURITY] [DLA 2809-1] udisks2 security update
Next by thread: [SECURITY] [DLA 2810-1] redis security update
Index(es):
- Date
- Thread