This repository has been archived by the owner on Oct 10, 2023. It is now read-only.
0.346.0
cf-buildpacks-eng
released this
08 Dec 19:27
·
23 commits
to main
since this release
Notably, this release addresses:
USN-5767-1 USN-5767-1: Python vulnerabilities:
- CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
- CVE-2022-45061: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
- CVE-2022-45061: An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
- CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
-ii libpython2.7-minimal:amd64 2.7.17-1~18.04ubuntu1.8 amd64 Minimal subset of the Python language (version 2.7)
-ii libpython2.7-stdlib:amd64 2.7.17-1~18.04ubuntu1.8 amd64 Interactive high-level object-oriented language (standard library, version 2.7)
+ii libpython2.7-minimal:amd64 2.7.17-1~18.04ubuntu1.10 amd64 Minimal subset of the Python language (version 2.7)
+ii libpython2.7-stdlib:amd64 2.7.17-1~18.04ubuntu1.10 amd64 Interactive high-level object-oriented language (standard library, version 2.7)
-ii libpython3.6:amd64 3.6.9-1~18.04ubuntu1.8 amd64 Shared Python runtime library (version 3.6)
-ii libpython3.6-minimal:amd64 3.6.9-1~18.04ubuntu1.8 amd64 Minimal subset of the Python language (version 3.6)
-ii libpython3.6-stdlib:amd64 3.6.9-1~18.04ubuntu1.8 amd64 Interactive high-level object-oriented language (standard library, version 3.6)
+ii libpython3.6:amd64 3.6.9-1~18.04ubuntu1.9 amd64 Shared Python runtime library (version 3.6)
+ii libpython3.6-minimal:amd64 3.6.9-1~18.04ubuntu1.9 amd64 Minimal subset of the Python language (version 3.6)
+ii libpython3.6-stdlib:amd64 3.6.9-1~18.04ubuntu1.9 amd64 Interactive high-level object-oriented language (standard library, version 3.6)
-ii python2.7 2.7.17-1~18.04ubuntu1.8 amd64 Interactive high-level object-oriented language (version 2.7)
-ii python2.7-minimal 2.7.17-1~18.04ubuntu1.8 amd64 Minimal subset of the Python language (version 2.7)
+ii python2.7 2.7.17-1~18.04ubuntu1.10 amd64 Interactive high-level object-oriented language (version 2.7)
+ii python2.7-minimal 2.7.17-1~18.04ubuntu1.10 amd64 Minimal subset of the Python language (version 2.7)
-ii python3.6 3.6.9-1~18.04ubuntu1.8 amd64 Interactive high-level object-oriented language (version 3.6)
-ii python3.6-minimal 3.6.9-1~18.04ubuntu1.8 amd64 Minimal subset of the Python language (version 3.6)
+ii python3.6 3.6.9-1~18.04ubuntu1.9 amd64 Interactive high-level object-oriented language (version 3.6)
+ii python3.6-minimal 3.6.9-1~18.04ubuntu1.9 amd64 Minimal subset of the Python language (version 3.6)