|Related CVEs||CVE-2013-1753 CVE-2016-1000110 CVE-2019-16935 CVE-2019-18348 CVE-2020-8492 CVE-2020-14422|
Several issues were discovered in Python 3.4, an interactive high-level object-oriented language, that allow an attacker to cause denial of service, trafic redirection, header injection and cross-site scripting.
The gzip_decode function in the xmlrpc client library allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
The CGIHandler class does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
In urllib2, CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.
Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
For Debian 8 jessie, these problems have been fixed in version 3.4.2-1+deb8u8.
We recommend that you upgrade your python3.4 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/