Headline
CVE-2022-40899: future
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
It is designed to be used as follows:
from __future__ import (absolute_import, division, print_function, unicode_literals) from builtins import ( bytes, dict, int, list, object, range, str, ascii, chr, hex, input, next, oct, open, pow, round, super, filter, map, zip)
followed by predominantly standard, idiomatic Python 3 code that then runs similarly on Python 2.6/2.7 and Python 3.3+.
The imports have no effect on Python 3. On Python 2, they shadow the corresponding builtins, which normally have different semantics on Python 3 versus 2, to provide their Python 3 semantics.
Standard library reorganization
future supports the standard library reorganization (PEP 3108) through the following Py3 interfaces:
>>> # Top-level packages with Py3 names provided on Py2:
import html.parser import queue import tkinter.dialog import xmlrpc.client
etc.
>>> # Aliases provided for extensions to existing Py2 module names:
from future.standard_library import install_aliases install_aliases()
>>> from collections import Counter, OrderedDict # backported to Py2.6
from collections import UserDict, UserList, UserString import urllib.request from itertools import filterfalse, zip_longest from subprocess import getoutput, getstatusoutput
Automatic conversion
An included script called futurize aids in converting code (from either Python 2 or Python 3) to code compatible with both platforms. It is similar to python-modernize but goes further in providing Python 3 compatibility through the use of the backported types and builtin functions in future.
Documentation
See: http://python-future.org
Credits
Author:
Ed Schofield, Jordan M. Adler, et al
Sponsor:
Python Charmers Pty Ltd, Australia, and Python Charmers Pte Ltd, Singapore. http://pythoncharmers.com
Others:
See docs/credits.rst or http://python-future.org/credits.html
Licensing
Copyright 2013-2019 Python Charmers Pty Ltd, Australia. The software is distributed under an MIT licence. See LICENSE.txt.
Related news
Red Hat Security Advisory 2023-2101-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include denial of service and remote shell upload vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....
Ubuntu Security Notice 5833-1 - Sebastian Chnelik discovered that python-future incorrectly handled certain HTTP header field. An attacker could possibly use this issue to cause a denial of service.