USN-6513-1: Python vulnerabilities

Releases

• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• python2.7 - An interactive high-level object-oriented language
• python3.5 - An interactive high-level object-oriented language
• python3.6 - An interactive high-level object-oriented language

Details

It was discovered that Python incorrectly handled certain plist files.
If a user or an automated system were tricked into processing a specially
crafted plist file, an attacker could possibly use this issue to consume
resources, resulting in a denial of service. (CVE-2022-48564)

It was discovered that Python instances of ssl.SSLSocket were vulnerable
to a bypass of the TLS handshake. An attacker could possibly use this
issue to cause applications to treat unauthenticated received data before
TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

• python2.7 - 2.7.17-1~18.04ubuntu1.13+esm4
  Available with Ubuntu Pro
• python3.6 - 3.6.9-1~18.04ubuntu1.13+esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• python2.7 - 2.7.12-1ubuntu0~16.04.18+esm9
  Available with Ubuntu Pro
• python3.5 - 3.5.2-2ubuntu0~16.04.13+esm12
  Available with Ubuntu Pro

Ubuntu 14.04

• python2.7 - 2.7.6-8ubuntu0.6+esm18
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-40217
• CVE-2022-48564

Related notices

• USN-6513-2
• USN-6891-1