Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-7040-1

Ubuntu Security Notice 7040-1 - It was discovered that ConfigObj contains regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a regular expression denial of service.

Packet Storm
#vulnerability#ubuntu#dos

==========================================================================
Ubuntu Security Notice USN-7040-1
September 26, 2024

configobj vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary:

ConfigObj could be made to crash if it received specially crafted input.

Software Description:

  • configobj: simple but powerful config file reader and writer for Python

Details:

It was discovered that ConfigObj contains regex that is susceptible to
catastrophic backtracking. An attacker could possibly use this issue to
cause a regular expression denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
python3-configobj 5.0.6-5ubuntu0.1

Ubuntu 20.04 LTS
python3-configobj 5.0.6-4ubuntu0.1

Ubuntu 18.04 LTS
python-configobj 5.0.6-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro
python3-configobj 5.0.6-2ubuntu0.18.04.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python-configobj 5.0.6-2ubuntu0.16.04.1~esm1
Available with Ubuntu Pro
python3-configobj 5.0.6-2ubuntu0.16.04.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7040-1
CVE-2023-26112

Package Information:
https://launchpad.net/ubuntu/+source/configobj/5.0.6-5ubuntu0.1
https://launchpad.net/ubuntu/+source/configobj/5.0.6-4ubuntu0.1

Related news

Ubuntu Security Notice USN-7040-2

Ubuntu Security Notice 7040-2 - USN-7040-1 fixed a vulnerability in ConfigObj. This update provides the corresponding update for Ubuntu 14.04 LTS. It was discovered that ConfigObj contains regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a regular expression denial of service.

GHSA-c33w-24p9-8m24: configobj ReDoS exploitable by developer using values in a server-side configuration file

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

CVE-2023-26112: Snyk Vulnerability Database | Snyk

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution