|Related CVEs||CVE-2021-3426 CVE-2021-3733 CVE-2021-3737|
There were a couple of vulnerabilites found in src:python3.4, the Python interpreter v3.4, and are as follows:
Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem. The fix removes the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability).
The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.
For Debian 8 jessie, these problems have been fixed in version 3.4.2-1+deb8u11.
We recommend that you upgrade your python3.4 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/