CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
85.1%
Issue Overview:
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-14422)
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)
Affected Packages:
python3
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python3 to update your system.
New Packages:
aarch64:
python3-3.7.9-1.amzn2.0.1.aarch64
python3-libs-3.7.9-1.amzn2.0.1.aarch64
python3-devel-3.7.9-1.amzn2.0.1.aarch64
python3-tools-3.7.9-1.amzn2.0.1.aarch64
python3-tkinter-3.7.9-1.amzn2.0.1.aarch64
python3-test-3.7.9-1.amzn2.0.1.aarch64
python3-debug-3.7.9-1.amzn2.0.1.aarch64
python3-debuginfo-3.7.9-1.amzn2.0.1.aarch64
i686:
python3-3.7.9-1.amzn2.0.1.i686
python3-libs-3.7.9-1.amzn2.0.1.i686
python3-devel-3.7.9-1.amzn2.0.1.i686
python3-tools-3.7.9-1.amzn2.0.1.i686
python3-tkinter-3.7.9-1.amzn2.0.1.i686
python3-test-3.7.9-1.amzn2.0.1.i686
python3-debug-3.7.9-1.amzn2.0.1.i686
python3-debuginfo-3.7.9-1.amzn2.0.1.i686
src:
python3-3.7.9-1.amzn2.0.1.src
x86_64:
python3-3.7.9-1.amzn2.0.1.x86_64
python3-libs-3.7.9-1.amzn2.0.1.x86_64
python3-devel-3.7.9-1.amzn2.0.1.x86_64
python3-tools-3.7.9-1.amzn2.0.1.x86_64
python3-tkinter-3.7.9-1.amzn2.0.1.x86_64
python3-test-3.7.9-1.amzn2.0.1.x86_64
python3-debug-3.7.9-1.amzn2.0.1.x86_64
python3-debuginfo-3.7.9-1.amzn2.0.1.x86_64
Red Hat: CVE-2019-20907, CVE-2020-14422
Mitre: CVE-2019-20907, CVE-2020-14422
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | python3 | < 3.7.9-1.amzn2.0.1 | python3-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-libs | < 3.7.9-1.amzn2.0.1 | python3-libs-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-devel | < 3.7.9-1.amzn2.0.1 | python3-devel-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-tools | < 3.7.9-1.amzn2.0.1 | python3-tools-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-tkinter | < 3.7.9-1.amzn2.0.1 | python3-tkinter-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-test | < 3.7.9-1.amzn2.0.1 | python3-test-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-debug | < 3.7.9-1.amzn2.0.1 | python3-debug-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | python3-debuginfo | < 3.7.9-1.amzn2.0.1 | python3-debuginfo-3.7.9-1.amzn2.0.1.aarch64.rpm |
Amazon Linux | 2 | i686 | python3 | < 3.7.9-1.amzn2.0.1 | python3-3.7.9-1.amzn2.0.1.i686.rpm |
Amazon Linux | 2 | i686 | python3-libs | < 3.7.9-1.amzn2.0.1 | python3-libs-3.7.9-1.amzn2.0.1.i686.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
85.1%