Last week, the Python Software Foundation (PSF) has released Python 3.9.2 and 3.8.8 to handle two recognized security issues. One of them is an RCE vulnerability, remotely exploitable in theory but in practical use, it can simply be utilized to take a machine offline.
Despite the fact that the fix for the security flaws had already been pushed, the Python community requested developers to bring them over to a stable release as soon as possible.

Image Source: Grand Canyon University

The PSF is encouraging its users to upgrade their systems to Python 3.8.8 or 3.9.2, to address the remote code execution (RCE) vulnerability that is tracked as CVE-2021-3177. In theory, this vulnerability could allow threat actors to execute arbitrary commands or code on a target machine. The project prompted their efforts to release the update, after receiving unexpected pressure from some concerned users about the security flaw.

While a remote code execution vulnerability never good news, RedHat explains that the “highest threat from this vulnerability is to system availability.” In short, an attacker would likely only be able to pull off a denial of service attack.

To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today.

The Python team stated that the inquiries surprised them since they believed security content is specifically picked by downstream distributors from source either way and the RC releases give installers for anyone interested in updating for the time being.

The other flaw is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability by “using a vector called parameter cloaking.”

When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Additionally, the team continues to insist that release candidates are mostly invisible to users and are predominantly non-functional due to upgrade processes that users already have in place. Python urges all their users to shift to the newest release. Reports also note that long-term support (LTS) releases like Debian are backporting the security patches to make sure that older versions of Python are shielded as well.

Leave a Reply

Your email address will not be published. Required fields are marked *