Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6906-1

Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.

Packet Storm
#vulnerability#ubuntu#dos#perl

==========================================================================
Ubuntu Security Notice USN-6906-1
July 24, 2024

python-zipp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 24.04 LTS
  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS

Summary:

python-zipp could be made to crash if certain zip files are used.

Software Description:

  • python-zipp: pathlib-compatible Zipfile object wrapper - Python 3.x

Details:

It was discovered that python-zipp did not properly handle the zip files
with malformed names. An attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
python3-zipp 1.0.0-6ubuntu0.1

Ubuntu 22.04 LTS
python3-zipp 1.0.0-3ubuntu0.1

Ubuntu 20.04 LTS
pypy-zipp 1.0.0-1ubuntu0.1
python-zipp 1.0.0-1ubuntu0.1
python3-zipp 1.0.0-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6906-1
CVE-2024-5569

Package Information:
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-6ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-1ubuntu0.1

Related news

Red Hat Security Advisory 2024-8906-03

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-8232-03

Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

GHSA-jfmj-5v4g-7637: zipp Denial of Service vulnerability

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution