First published: Fri Dec 17 2021(Updated: )
It was discovered that the urllib.request.AbstractBasicAuthHandler class in Python contains regex with a quadratic worst-case time complexity. Specially crafted traffic from a malicious HTTP server could cause a regular expression denial of service (ReDoS) condition for a client. (CVE-2021-3733) It was discovered that the Python urllib http client could enter into an infinite loop when incorrectly handling certain server responses (100 Continue response). Specially crafted traffic from a malicious HTTP server could cause a denial of service (DoS) condition for a client. (CVE-2021-3737)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/libpython3.6-stdlib | <3.6.9-1~18.04ubuntu1.6 | 3.6.9-1~18.04ubuntu1.6 |
=18.04 | ||
All of | ||
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.6 | 3.6.9-1~18.04ubuntu1.6 |
=18.04 | ||
All of | ||
ubuntu/python3.6-minimal | <3.6.9-1~18.04ubuntu1.6 | 3.6.9-1~18.04ubuntu1.6 |
=18.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for Python vulnerabilities is CVE-2021-3733.
CVE-2021-3733 could cause a regular expression denial of service (ReDoS) condition for a client.
Python versions 3.6.9-1~18.04ubuntu1.6 and earlier are affected by CVE-2021-3733.
To fix CVE-2021-3733, update to Python version 3.6.9-1~18.04ubuntu1.6 or later.
You can find more information about Python vulnerabilities in the Ubuntu Security Notices USN-5199-1 and the associated CVE links.