The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Python: overload via TAR File

Synthesis of the vulnerability 

An attacker can trigger an overload via TAR File of Python, in order to trigger a denial of service.
Vulnerable systems: Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, Junos Space Network Management Platform, openSUSE Leap, Solaris, Python, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this threat: 2/4.
Creation date: 21/07/2020.
Références of this weakness: 39017, bulletinjul2020, CVE-2019-20907, DLA-2337-1, DLA-2456-1, FEDORA-2020-16167a66a2, FEDORA-2020-1ddd5273d6, FEDORA-2020-4cf7c3910b, FEDORA-2020-826b24c329, FEDORA-2020-87c0a0a52d, FEDORA-2020-d30881c970, FEDORA-2020-d808fdd597, FEDORA-2020-dfb11916cc, FEDORA-2020-e9251de272, FEDORA-2020-efb908b6a8, JSA11174, JSA11176, K78284681, openSUSE-SU-2020:1254-1, openSUSE-SU-2020:1257-1, openSUSE-SU-2020:1258-1, openSUSE-SU-2020:1265-1, openSUSE-SU-2020:2332-1, openSUSE-SU-2020:2333-1, RHSA-2020:4273-01, RHSA-2020:4285-01, RHSA-2020:4299-01, RHSA-2020:4433-01, RHSA-2020:4641-01, RHSA-2020:4654-01, RHSA-2020:5009-01, RHSA-2020:5010-01, RHSA-2021:0528-01, RHSA-2021:0761-01, RHSA-2021:0881-01, SUSE-SU-2020:2216-1, SUSE-SU-2020:2275-1, SUSE-SU-2020:2276-1, SUSE-SU-2020:2277-1, SUSE-SU-2020:2699-1, SUSE-SU-2020:3563-1, SUSE-SU-2020:3930-1, USN-4428-1, VIGILANCE-VUL-32888.

Description of the vulnerability 

An attacker can trigger an overload via TAR File of Python, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, Junos Space Network Management Platform, openSUSE Leap, Solaris, Python, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat 

Python: version 3.8.5.
The version 3.8.5 is fixed:
  https://www.python.org/downloads/release/python-385/

Python: version 3.7.9.
The version 3.7.9 is fixed:
  https://www.python.org/

Python: version 3.6.12.
The version 3.6.12 is fixed:
  https://www.python.org/

Fedora 31-32: new python35 packages.
New packages are available:
  Fedora 31: python35 3.5.10-1.fc31
  Fedora 32: python35 3.5.10-1.fc32

Python: version 3.5.10.
The version 3.5.10 is fixed:
  https://www.python.org/downloads/release/python-3510/

Python: patch for TAR File.
A patch is available:
  https://hg.python.org/lookup/f3232294ee695492f43d424cc6969d018d49861d
  https://hg.python.org/lookup/c55479556db015f48fc8bbca17f64d3e65598559
  https://hg.python.org/lookup/79c6b602efc9a906c8496f3d5f4d54c54b48fa06
  https://hg.python.org/lookup/47a2955589bdb1a114d271496ff803ad73f954b8
  https://hg.python.org/lookup/cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84

Debian 9: new python2.7 packages.
New packages are available:
  Debian 9: python2.7 2.7.13-2+deb9u4

Debian 9: new python3.5 packages.
New packages are available:
  Debian 9: python3.5 3.5.3-1+deb9u3

F5 BIG-IP: solution for tarfile.
The solution is indicated in information sources.

Fedora 31: new python2 packages.
New packages are available:
  Fedora 31: python2 2.7.18-2.fc31

Fedora 31: new python36 packages.
New packages are available:
  Fedora 31: python36 3.6.11-3.fc31

Fedora 31: new python3 packages.
New packages are available:
  Fedora 31: python3 3.7.8-2.fc31

Fedora 32: new mingw-python3 packages.
New packages are available:
  Fedora 32: mingw-python3 3.8.3-3.fc32

Fedora 32: new python27 packages.
New packages are available:
  Fedora 32: python27 2.7.18-2.fc32

Fedora 32: new python34 packages.
New packages are available:
  Fedora 32: python34 3.4.10-11.fc32

Fedora 32: new python36 packages.
New packages are available:
  Fedora 32: python36 3.6.11-3.fc32

Fedora 32: new python37 packages.
New packages are available:
  Fedora 32: python37 3.7.8-2.fc32

Junos Space: version 21.1R1.
The version 21.1R1 is fixed:
  https://support.juniper.net/support/downloads/
The version fixes more than 450 vulnerabilities, but only the 100 recent vulnerabilities were associated to this bulletin.

openSUSE Leap 15.1-15.2: new python3 packages.
New packages are available:
  openSUSE Leap 15.1: python3 3.6.12-lp151.6.30.1
  openSUSE Leap 15.2: python3 3.6.12-lp152.4.12.2

openSUSE Leap 15.1: new python3 packages.
New packages are available:
  openSUSE Leap 15.1: python3 3.6.10-lp151.6.24.1

openSUSE Leap 15.1: new python packages.
New packages are available:
  openSUSE Leap 15.1: python 2.7.17-lp151.10.21.1

openSUSE Leap 15.2: new python3 packages.
New packages are available:
  openSUSE Leap 15.2: python3 3.6.10-lp152.4.6.2

openSUSE Leap 15.2: new python packages.
New packages are available:
  openSUSE Leap 15.2: python 2.7.17-lp152.3.3.1

Oracle Solaris: patch for third party software of July 2020 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

RHEL 6, 7: new rh-python36 packages.
New packages are available:
  RHEL 6.0-6.10: rh-python36 python-3.6.12-1.el6
  RHEL 7.0-7.9: rh-python36 python-3.6.12-1.el7

RHEL 7.4: new python packages.
New packages are available:
  RHEL 7.4: python 2.7.5-64.el7_4

RHEL 7.6: new python packages.
New packages are available:
  RHEL 7.6: python 2.7.5-84.el7_6

RHEL 7.7: new python packages.
New packages are available:
  RHEL 7.7: python 2.7.5-88.el7_7

RHEL 7: new python27 packages.
New packages are available:
  RHEL 7.0-7.9: python27 python-2.7.18-2.el7

RHEL 7: new python3 packages.
New packages are available:
  RHEL 7.0-7.9: python3 3.6.8-18.el7

RHEL 7: new python packages.
New packages are available:
  RHEL 7.0-7.9: python 2.7.5-90.el7

RHEL 7: new rh-python38 packages.
New packages are available:
  RHEL 7.0-7.9: rh-python38 python-3.8.6-1.el7

RHEL 8: new python27-2.7 module.
The following module is updated:
  RHEL 8 Module: python27:2.7

RHEL 8: new python38-3.8 module.
The following module is updated:
  RHEL 8 Module: python38:3.8

RHEL 8: new python3 packages.
New packages are available:
  RHEL 8.0-8.2: python3 3.6.8-31.el8

SUSE LE 12: new python3 packages.
New packages are available:
  SUSE LE 12 SP5: python3 3.4.10-25.52.1
  SUSE LE 12 SP4: python3 3.4.10-25.52.1
  SUSE LE 12 SP3: python3 3.4.10-25.52.1
  SUSE LE 12 SP2: python3 3.4.10-25.52.1

SUSE LE 12 SP5: new python36 packages (01/12/2020).
New packages are available:
  SUSE LE 12 SP5: python36 3.6.12-4.22.2

SUSE LE 12 SP5: new python36 packages (13/08/2020).
New packages are available:
  SUSE LE 12 SP5: python36 3.6.10-4.17.1

SUSE LE 12 SP5: new python packages.
New packages are available:
  SUSE LE 12 SP5: python 2.7.17-28.48.1

SUSE LE 15 RTM-SP3: new python3 packages.
New packages are available:
  SUSE LE 15 RTM: python3 3.6.12-3.67.2
  SUSE LE 15 SP1: python3 3.6.12-3.67.2
  SUSE LE 15 SP2: python3 3.6.12-3.67.2
  SUSE LE 15 SP3: python3 3.6.12-3.67.2

SUSE LE 15 SP1-2: new python3 packages.
New packages are available:
  SUSE LE 15 SP1: python3 3.6.10-3.59.1
  SUSE LE 15 SP2: python3 3.6.10-3.59.1

SUSE LE 15 SP1-2: new python packages.
New packages are available:
  SUSE LE 15 SP1: python 2.7.17-7.41.1
  SUSE LE 15 SP2: python 2.7.17-7.41.1

Ubuntu: new python packages.
New packages are available:
  Ubuntu 20.04 LTS: python3.8 3.8.2-1ubuntu1.2
  Ubuntu 18.04 LTS: python2.7 2.7.17-1~18.04ubuntu1.1, python3.6 3.6.9-1~18.04ubuntu1.1
  Ubuntu 16.04 LTS: python2.7 2.7.12-1ubuntu0~16.04.12, python3.5 3.5.2-2ubuntu0~16.04.11
  Ubuntu 14.04 ESM: python2.7 2.7.6-8ubuntu0.6+esm6, python3.4 3.4.3-1ubuntu1~14.04.7+esm7
  Ubuntu 12.04 ESM: python2.7 2.7.3-0ubuntu3.18

Wind River Linux: version 10.17.41.22.
The version 10.17.41.22 is fixed:
  https://support2.windriver.com/index.php?page=cve&on=list&show=50&product_id=1&product_version%5B0%5D=2&id_status%5B0%5D=4&cve_id_filter=&s=&submit=&order_by=cve_modified_date&order_way=desc#list
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability database. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.