Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5821-3

Ubuntu Security Notice 5821-3 - USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately, it was missing a commit to fix it properly in pip. Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service.

Packet Storm
#vulnerability#ubuntu#dos#perl

==========================================================================
Ubuntu Security Notice USN-5821-3
February 28, 2023

python-pip regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.10
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Summary:

USN-5821-1 caused a regression in pip.

Software Description:

  • python-pip: Python package installer

Details:

USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately,
it was missing a commit to fix it properly in pip.

We apologize for the inconvenience.

Original advisory details:

Sebastian Chnelik discovered that wheel incorrectly handled
certain file names when validated against a regex expression.
An attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
python3-pip 22.2+dfsg-1ubuntu0.2
python3-pip-whl 22.2+dfsg-1ubuntu0.2

Ubuntu 22.04 LTS:
python3-pip 22.0.2+dfsg-1ubuntu0.2
python3-pip-whl 22.0.2+dfsg-1ubuntu0.2

Ubuntu 20.04 LTS:
python-pip-whl 20.0.2-5ubuntu1.8
python3-pip 20.0.2-5ubuntu1.8

Ubuntu 18.04 LTS:
python-pip 9.0.1-2.3~ubuntu1.18.04.7
python-pip-whl 9.0.1-2.3~ubuntu1.18.04.7
python3-pip 9.0.1-2.3~ubuntu1.18.04.7

Ubuntu 16.04 ESM:
python-pip 8.1.1-2ubuntu0.6+esm4
python-pip-whl 8.1.1-2ubuntu0.6+esm4
python3-pip 8.1.1-2ubuntu0.6+esm4

Ubuntu 14.04 ESM:
python-pip 1.5.4-1ubuntu4+esm3
python-pip-whl 1.5.4-1ubuntu4+esm3
python3-pip 1.5.4-1ubuntu4+esm3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5821-3
https://ubuntu.com/security/notices/USN-5821-1
CVE-2022-40898

Package Information:
https://launchpad.net/ubuntu/+source/python-pip/22.2+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5ubuntu1.8
https://launchpad.net/ubuntu/+source/python-pip/9.0.1-2.3~ubuntu1.18.04.7

Related news

Ubuntu Security Notice USN-5821-1

Ubuntu Security Notice 5821-1 - Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service.

GHSA-qwmp-2cf2-g9g6: pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)

Python Packaging Authority (PyPA) Wheel is a reference implementation of the Python wheel packaging standard. Wheel 0.37.1 and earlier are vulnerable to a Regular Expression denial of service via attacker controlled input to the wheel cli. The vulnerable regex is used to verify the validity of Wheel file names. This has been patched in version 0.38.1.

CVE-2022-40898: wheel

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

Packet Storm: Latest News

ABB Cylon Aspect 3.08.01 vstatConfigurationDownload.php Configuration Download