SB2020071499 - Resource exhaustion in python3 (Alpine package)
Published: July 14, 2020
Security Bulletin ID
SB2020071499
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2020-14422)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application improperly computes hash values in the IPv4Interface and IPv6Interface classes within the Lib/ipaddress.py in Python. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7772db5ac3e606fcb415309efabe1a425462cb60
- https://git.alpinelinux.org/aports/commit/?id=17f08ccad8155759775705c3ce0f8ef82a912877
- https://git.alpinelinux.org/aports/commit/?id=21a5b7dd0924932b20512155471ee45dada0abf4
- https://git.alpinelinux.org/aports/commit/?id=05546ebd50da460f3e53d4c8df34747c56e47459
- https://git.alpinelinux.org/aports/commit/?id=5fbbd588ac1a7f3a4d779fe13c37b9ab4d65e259