FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- Regular Expression DoS attack against client

Affected packages
python38 < 3.8.3
python37 < 3.7.7
python36 < 3.6.11
python35 < 3.5.10
python27 < 2.7.18

Details

VuXML ID a27b0bb6-84fc-11ea-b5b4-641c67a117d8
Discovery 2019-11-17
Entry 2020-04-23

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References

CVE Name CVE-2020-8492
FreeBSD PR ports/245819
URL https://bugs.python.org/issue39503
URL https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html