Moderate: python27:2.7 security update

2024-05-2200:00:00

Google

osv.dev

python

security update

cve

redos

memory corruption

xml processing

cookie header

html attribute injection

almalinux

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.005

Percentile

77.4%

JSON

Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL.

Security Fix(es):

pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py (CVE-2022-40897)
python: use after free in heappushpop() of heapq module (CVE-2022-48560)
python: XML External Entity in XML processing plistlib module (CVE-2022-48565)
python-urllib3: Cookie request header isn’t stripped during cross-origin redirects (CVE-2023-43804)
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.