USN-5767-1: Python vulnerabilities

Releases

• Ubuntu 22.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• python2.7 - An interactive high-level object-oriented language
• python3.10 - An interactive high-level object-oriented language
• python3.6 - An interactive high-level object-oriented language
• python3.8 - An interactive high-level object-oriented language

Details

Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals.
An attacker could possibly use this issue to cause a crash or execute arbitrary code.
(CVE-2022-37454)

It was discovered that Python incorrectly handled certain IDNA inputs.
An attacker could possibly use this issue to expose sensitive information
denial of service, or cause a crash.
(CVE-2022-45061)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10

• python3.10 - 3.10.7-1ubuntu0.2
• libpython3.10 - 3.10.7-1ubuntu0.2

Ubuntu 22.04

• python3.10 - 3.10.6-1~22.04.2
• libpython3.10 - 3.10.6-1~22.04.2

Ubuntu 20.04

• libpython3.8 - 3.8.10-0ubuntu1~20.04.6
• python3.8 - 3.8.10-0ubuntu1~20.04.6

Ubuntu 18.04

• libpython2.7 - 2.7.17-1~18.04ubuntu1.10
• python2.7 - 2.7.17-1~18.04ubuntu1.10
• python3.6 - 3.6.9-1~18.04ubuntu1.9
• libpython3.6 - 3.6.9-1~18.04ubuntu1.9

In general, a standard system update will make all the necessary changes.

References

• CVE-2022-45061
• CVE-2022-37454

Related notices

• USN-5767-2
• USN-5888-1
• USN-6891-1
• USN-5717-1
• USN-5767-3
• USN-5930-1
• USN-5931-1
• USN-6524-1
• USN-6525-1