Headline
Ubuntu Security Notice USN-5833-1
Ubuntu Security Notice 5833-1 - Sebastian Chnelik discovered that python-future incorrectly handled certain HTTP header field. An attacker could possibly use this issue to cause a denial of service.
==========================================================================
Ubuntu Security Notice USN-5833-1
January 31, 2023
python-future vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
python-future could be made to crash if it received specially crafted
input.
Software Description:
- python-future: Clean single-source support for Python 3 and 2
Details:
Sebastian Chnelik discovered that python-future incorrectly handled
certain HTTP header field. An attacker could possibly use this issue
to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
python3-future 0.18.2-6ubuntu0.1
Ubuntu 22.04 LTS:
python3-future 0.18.2-5ubuntu0.1
Ubuntu 20.04 LTS:
python3-future 0.18.2-2ubuntu0.1
Ubuntu 18.04 LTS:
python-future 0.15.2-4ubuntu2.1
python3-future 0.15.2-4ubuntu2.1
Ubuntu 16.04 ESM:
python-future 0.15.2-1ubuntu0.1~esm1
python3-future 0.15.2-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5833-1
CVE-2022-40899
Package Information:
https://launchpad.net/ubuntu/+source/python-future/0.18.2-6ubuntu0.1
https://launchpad.net/ubuntu/+source/python-future/0.18.2-5ubuntu0.1
https://launchpad.net/ubuntu/+source/python-future/0.18.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-future/0.15.2-4ubuntu2.1
Related news
Red Hat Security Advisory 2023-2101-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include denial of service and remote shell upload vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.