Detections
Analytics

FreeBSD : Python -- multiple vulnerabilities (bffa40db-ad50-11eb-86b8-080027846a02)

high Nessus Plugin ID 149267

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Python reports :

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the
_xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

Solution

Update the affected packages.

See Also

https://docs.python.org/3/whatsnew/changelog.html#changelog

https://docs.python.org/3.8/whatsnew/changelog.html#changelog

http://www.nessus.org/u?29d586ef

Plugin Details

Severity: High

ID: 149267

File Name: freebsd_pkg_bffa40dbad5011eb86b8080027846a02.nasl

Version: 1.2

Type: local

Published: 5/5/2021

Updated: 2/3/2022

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:python38, p-cpe:/a:freebsd:freebsd:python39, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/5/2021

Vulnerability Publication Date: 3/8/2021