Headline
Ubuntu Security Notice USN-6064-1
Ubuntu Security Notice 6064-1 - It was discovered that SQL parse incorrectly handled certain regular expression. An attacker could possibly use this issue to cause a denial of service.
=========================================================================
Ubuntu Security Notice USN-6064-1
May 10, 2023
sqlparse vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
SQL parse could be made to denial of service if it received
a specially crafted regular expression.
Software Description:
- sqlparse: documentation for non-validating SQL parser in Python
Details:
It was discovered that SQL parse incorrectly handled certain regular expression.
An attacker could possibly use this issue to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
python3-sqlparse 0.4.2-1ubuntu0.23.04.1
Ubuntu 22.10:
python3-sqlparse 0.4.2-1ubuntu0.22.10.1
Ubuntu 22.04 LTS:
python3-sqlparse 0.4.2-1ubuntu0.22.04.1
Ubuntu 20.04 LTS:
python3-sqlparse 0.2.4-3ubuntu0.1
Ubuntu 18.04 LTS:
python-sqlparse 0.2.4-0.1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6064-1
CVE-2023-30608
Package Information:
https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-3ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-0.1ubuntu0.1
Related news
Red Hat Security Advisory 2023-4591-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include bypass and denial of service vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30608: A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS). * CVE-2023-31047: A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
### Impact The SQL parser contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS). ### Patches This issues has been fixed in sqlparse 0.4.4. ### Workarounds None. ### References This issue was discovered and reported by GHSL team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh). - Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.