[Buildroot] [PATCH] package/python3: add upstream security fix for CVE-2022-45061
Peter Korsgaard
peter at korsgaard.com
Sat Nov 26 18:42:39 UTC 2022
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
>> Fixes the following security issue:
>> CVE-2022-45061: An issue was discovered in Python before 3.11.1. An
>> unnecessary quadratic algorithm exists in one path when processing some
>> inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably
>> long name being presented to the decoder could lead to a CPU denial of
>> service. Hostnames are often supplied by remote servers that could be
>> controlled by a malicious actor; in such a scenario, they could trigger
>> excessive CPU consumption on the client attempting to make use of an
>> attacker-supplied supposed hostname. For example, the attack payload could
>> be placed in the Location header of an HTTP response with status code 302.
>> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> Committed, thanks.
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list