Ubuntu Addresses Several Python Vulnerabilities
Python, a widely-used programming language, is integral to many applications and systems. However, like any software, it can have vulnerabilities that pose significant security risks. Recently, Canonical addressed 41 vulnerabilities in the Python package across various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04, 16.04, and 14.04 ESM. This article explores some of the high-severity Python vulnerabilities that have been fixed and provides guidance on how to stay secure.
Python Vulnerabilities Fixed in Ubuntu
CVE-2021-29921 (CVSS v3 Score: 9.8 Critical)
A critical vulnerability was found in the Python standard library’s ipaddress API, which incorrectly handled octal strings. A remote attacker could exploit this issue to bypass certain access control and perform a wide range of attacks. This issue only affected Ubuntu 18.04.
CVE-2022-0391 (CVSS v3 Score: 7.5 High)
This vulnerability involved improper handling of certain inputs by Python. An attacker could potentially execute arbitrary code through this flaw. It only affected Ubuntu 14.04 and Ubuntu 18.04 releases.
CVE-2023-24329 (CVSS v3 Score: 7.5 High)
Another vulnerability was found involving Python’s mishandling of certain inputs. If a user or automated system ran a specially crafted input, a remote attacker could exploit this vulnerability to cause a denial of service. This vulnerability impacted Ubuntu 14.04, Ubuntu 18.04, and Ubuntu 22.04 LTS.
CVE-2022-48565 (CVSS v3 Score: 9.8 Critical)
This vulnerability was caused due to improper handling of XML entity declarations in plist files by Python. An attacker could use this flaw to perform an XML External Entity (XXE) injection, leading to denial of service or information disclosure. This issue only affected Ubuntu 14.04 and Ubuntu 18.04.
CVE-2023-6597 (CVSS v3 Score: 7.8 High)
This vulnerability involved Python’s incorrect handling of symlinks in temporary files. An attacker could exploit this issue to modify file permissions. This flaw affected Ubuntu 18.04, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.
To learn about other Python vulnerabilities that have been fixed, please refer to this Ubuntu Security Notice.
Protecting Your Ubuntu Systems
Given the severity of these vulnerabilities, it is crucial to update your Python installation to the latest patched version promptly. Failing to update can leave your system exposed to potential exploitation, compromising its security. For supported Ubuntu releases, you can update the Python package using the apt package manager.
For Ubuntu systems that have reached end of life, security updates are only available through an Ubuntu Pro subscription. However, TuxCare’s Extended Lifecycle Support (ELS) offers an affordable alternative. It provides five additional years of security patching for Ubuntu 16.04 and 18.04 beyond their end-of-life dates. ELS covers the Linux kernel, common shared libraries (such as glibc and OpenSSL), programming languages including Python and PHP, and various other packages.
You can find a list of packages supported by Extended Lifecycle Support on this page. Additionally, you can track the release status of patches for vulnerabilities across different Ubuntu releases using our CVE tracker.
By staying informed and ensuring your software is up-to-date, you can help protect your systems from critical vulnerabilities and maintain a more secure computing environment.
Sorce: USN-6891-1