ELA-1265-1 mariadb-10.1 security update
ELA-1262-1 python3.5 security update
ELA-1265-1 mariadb-10.1 security update
Package : mariadb-10.1
Version : 10.1.48-0+deb9u6 (stretch)
Related CVEs :
CVE-2022-38791
A Denial-of-service vulnerability was found in MariaDB, a popular database
server.
It was found that the mariabackup tool did not correctly handle a mutex
primitive, making it possible for local users to trigger a deadlock.
ELA-1262-1 python3.5 security update
Package : python3.5
Version : 3.5.3-1+deb9u11 (stretch)
Related CVEs :
CVE-2023-27043
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-9287
CVE-2024-11168
Multiple vulnerabilities were found in python3.5, an interactive high-level
object-oriented language.
CVE-2023-27043:
The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).
CVE-2024-6232:
Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.
CVE-2024-6923
The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.
CVE-2024-7592
When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value
CVE-2024-9287
A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.
