ALAS2-2019-1230 --- pythonID: oval:org.secpod.oval:def:1700186 | Date: (C)2019-07-02 (M)2023-12-20 |
Class: PATCH | Family: unix |
A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. Python 2.7.16 is affected by: Improper Handling of Unicode Encoding during NFKC normalization. The impact is: Information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. A flaw was found in the way catastrophic backtracking was implemented in python#039;s pop3lib#039;s apop method. An attacker could use this flaw to cause denial of service. Modules/_pickle.c in Python 2.7.16 has an integer overflow via a large LONG_BINPUT value that is mishandled during a quot;resize to twice the sizequot; attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. A flaw was found in the way catastrophic backtracking was implemented in python#039;s difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service