python3.5: Denial of service - Remote with user interaction

=========================================================================== 
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.11.5.0800
                       python3.5: Denial of service - Remote with user interaction
                               5th November 2021

===========================================================================

Product:           python3.5
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3737 CVE-2021-3733 

Reference:         ESB-2021.3659
                   ESB-2021.3589
                   ESB-2021.3138

Original Bulletin: 
   http://www.debian.org/lts/security/2021/dla-2808

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2808-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 05, 2021                           https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : python3.5
Version        : 3.5.3-1+deb9u5
CVE ID         : CVE-2021-3733 CVE-2021-3737

There were a couple of vulnerabilites found in src:python3.5, the
Python interpreter v3.5, and are as follows:

CVE-2021-3733

    The ReDoS-vulnerable regex has quadratic worst-case complexity
    and it allows cause a denial of service when identifying
    crafted invalid RFCs. This ReDoS issue is on the client side
    and needs remote attackers to control the HTTP server.

CVE-2021-3737

    HTTP client can get stuck infinitely reading len(line) < 64k
    lines after receiving a '100 Continue' HTTP response. This
    could lead to the client being a bandwidth sink for anyone
    in control of a server.

For Debian 9 stretch, these problems have been fixed in version
3.5.3-1+deb9u5.

We recommend that you upgrade your python3.5 packages.

For the detailed security status of python3.5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




- --------------------------END INCLUDED TEXT--------------------





 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================