Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

0.346.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 08 Dec 19:27
· 23 commits to main since this release
0.346.0
5aa4f90

Notably, this release addresses:

USN-5767-1 USN-5767-1: Python vulnerabilities:

  • CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
  • CVE-2022-45061: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
  • CVE-2022-45061: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
  • CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
-ii  libpython2.7-minimal:amd64 2.7.17-1~18.04ubuntu1.8  amd64  Minimal subset of the Python language (version 2.7)
-ii  libpython2.7-stdlib:amd64  2.7.17-1~18.04ubuntu1.8  amd64  Interactive high-level object-oriented language (standard library, version 2.7)
+ii  libpython2.7-minimal:amd64 2.7.17-1~18.04ubuntu1.10 amd64  Minimal subset of the Python language (version 2.7)
+ii  libpython2.7-stdlib:amd64  2.7.17-1~18.04ubuntu1.10 amd64  Interactive high-level object-oriented language (standard library, version 2.7)
-ii  libpython3.6:amd64         3.6.9-1~18.04ubuntu1.8   amd64  Shared Python runtime library (version 3.6)
-ii  libpython3.6-minimal:amd64 3.6.9-1~18.04ubuntu1.8   amd64  Minimal subset of the Python language (version 3.6)
-ii  libpython3.6-stdlib:amd64  3.6.9-1~18.04ubuntu1.8   amd64  Interactive high-level object-oriented language (standard library, version 3.6)
+ii  libpython3.6:amd64         3.6.9-1~18.04ubuntu1.9   amd64  Shared Python runtime library (version 3.6)
+ii  libpython3.6-minimal:amd64 3.6.9-1~18.04ubuntu1.9   amd64  Minimal subset of the Python language (version 3.6)
+ii  libpython3.6-stdlib:amd64  3.6.9-1~18.04ubuntu1.9   amd64  Interactive high-level object-oriented language (standard library, version 3.6)
-ii  python2.7                  2.7.17-1~18.04ubuntu1.8  amd64  Interactive high-level object-oriented language (version 2.7)
-ii  python2.7-minimal          2.7.17-1~18.04ubuntu1.8  amd64  Minimal subset of the Python language (version 2.7)
+ii  python2.7                  2.7.17-1~18.04ubuntu1.10 amd64  Interactive high-level object-oriented language (version 2.7)
+ii  python2.7-minimal          2.7.17-1~18.04ubuntu1.10 amd64  Minimal subset of the Python language (version 2.7)
-ii  python3.6                  3.6.9-1~18.04ubuntu1.8   amd64  Interactive high-level object-oriented language (version 3.6)
-ii  python3.6-minimal          3.6.9-1~18.04ubuntu1.8   amd64  Minimal subset of the Python language (version 3.6)
+ii  python3.6                  3.6.9-1~18.04ubuntu1.9   amd64  Interactive high-level object-oriented language (version 3.6)
+ii  python3.6-minimal          3.6.9-1~18.04ubuntu1.9   amd64  Minimal subset of the Python language (version 3.6)
Assets 3