Bug 1205244 - (CVE-2022-45061) VUL-0: CVE-2022-45061: python39,python3,python310,python36,python,python27: quadratic time IDNA decoding
(CVE-2022-45061)
VUL-0: CVE-2022-45061: python39,python3,python310,python36,python,python27: q...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Matej Cepl
Security Team bot
https://smash.suse.de/issue/347485/
CVSSv3.1:SUSE:CVE-2022-45061:6.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-09 14:16 UTC by Carlos López
Modified: 2023-01-30 20:20 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-09 14:16:58 UTC
CVE-2022-45061

An issue was discovered in Python before 3.11.1. An unnecessary quadratic
algorithm exists in one path when processing some inputs to the IDNA (RFC 3490)
decoder, such that a crafted, unreasonably long name being presented to the
decoder could lead to a CPU denial of service. Hostnames are often supplied by
remote servers that could be controlled by a malicious actor; in such a
scenario, they could trigger excessive CPU consumption on the client attempting
to make use of an attacker-supplied supposed hostname. For example, the attack
payload could be placed in the Location header of an HTTP response with status
code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45061
https://www.cve.org/CVERecord?id=CVE-2022-45061
https://github.com/python/cpython/issues/98433
Comment 1 Carlos López 2022-11-09 14:42:10 UTC
This affects all Python versions it seems
Comment 2 OBSbugzilla Bot 2022-11-09 23:35:03 UTC
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1034962 Factory / python310
https://build.opensuse.org/request/show/1034963 Factory / python311
https://build.opensuse.org/request/show/1034964 Factory / python38
Comment 4 OBSbugzilla Bot 2022-11-10 01:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1034968 Factory / python39
https://build.opensuse.org/request/show/1034969 Factory / python
Comment 5 OBSbugzilla Bot 2022-11-10 17:35:05 UTC
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1035107 Factory / python
Comment 8 Swamp Workflow Management 2022-11-15 20:34:46 UTC
SUSE-SU-2022:4004-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1204886,1205244
CVE References: CVE-2022-42919,CVE-2022-45061
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python310-3.10.8-150400.4.15.1, python310-core-3.10.8-150400.4.15.1, python310-documentation-3.10.8-150400.4.15.1
SUSE Linux Enterprise Module for Python3 15-SP4 (src):    python310-3.10.8-150400.4.15.1, python310-core-3.10.8-150400.4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-18 17:24:42 UTC
SUSE-SU-2022:4071-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1204886,1205244
CVE References: CVE-2022-42919,CVE-2022-45061
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1, python39-documentation-3.9.15-150300.4.21.1
openSUSE Leap 15.3 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1, python39-documentation-3.9.15-150300.4.21.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python39-core-3.9.15-150300.4.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Matej Cepl 2022-11-23 00:54:32 UTC
I believe this is all done. Am I right?
Comment 13 Swamp Workflow Management 2022-11-28 14:29:44 UTC
SUSE-SU-2022:4251-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1203125,1205244
CVE References: CVE-2020-10735,CVE-2022-45061
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-11-28 20:25:16 UTC
SUSE-SU-2022:4258-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Manager Retail Branch Server 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Manager Proxy 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Micro 5.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Enterprise Storage 7 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Enterprise Storage 6 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE CaaS Platform 4.0 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-11-29 17:42:32 UTC
SUSE-SU-2022:4275-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1202666,1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE OpenStack Cloud 9 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-33.17.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 khanh vu 2023-01-09 03:52:24 UTC
Hi,

Will we have a fix for python3 in SUSE Linux Enterprise Server 15 SP4?

BRs/KhanhVu
Comment 19 Swamp Workflow Management 2023-01-30 20:20:09 UTC
SUSE-SU-2023:0213-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1202666,1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.18-28.93.1, python-base-2.7.18-28.93.1, python-doc-2.7.18-28.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.