Friday, March 5, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Python programming language hurries out update to tackle remote code vulnerability

February 22, 2021
in Internet Security
Python programming language hurries out update to tackle remote code vulnerability
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The Python Software Foundation (PSF) has rushed out Python 3.9.2 and 3.8.8 to address two notable security flaws, including one that is remotely exploitable but in practical terms can only be used to knock a machine offline. 

PSF is urging its legion of Python users to upgrade systems to Python 3.8.8 or 3.9.2, in particular to address the remote code execution (RCE) vulnerability that’s tracked as CVE-2021-3177. 

You might also like

FTC joins 38 states in takedown of massive charity robocall operation

Accellion zero-day claims a new victim in cybersecurity company Qualys

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

The project expedited the release after receiving unexpected pressure from some users who were concerned over the security flaw. 

SEE: Hiring Kit: Python developer (TechRepublic Premium)

“Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177,” said the Python release team.

“This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime,” PSF said.

“It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.”

Python 3.x through to 3.9.1 has a buffer overflow in PyCArg_repr in ctypes/callproc.c, which may lead to remote code execution. 

It affects Python applications that “accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param.”

The bug occurs because “sprintf” is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.  

Various Linux distributions, such as Debian, have been backporting the security patches to ensure the built-in versions of Python are shielded. 

The vulnerability is a common memory flaw. Per RedHat, a stack-based buffer overflow in Python’s ctypes module improperly validated the input passed to it, “which would allow an attacker to overflow a buffer on the stack and crash the application.”

SEE: Developer: Rust programming language is being used for bigger projects

While a remote code execution vulnerability is bad news, RedHat notes that the “highest threat from this vulnerability is to system availability.” In other words, an attacker would likely only be able to pull off a denial of service attack.  

“Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE,” said the PSF. 

“To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today,” the organization added. 

The other flaw is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability by “defaulting the query args separator to &, and allowing the user to choose a custom separator.” 

Credit: Zdnet

Previous Post

Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online

Next Post

Messaging channels are surging: Monday's daily brief

Related Posts

FTC joins 38 states in takedown of massive charity robocall operation
Internet Security

FTC joins 38 states in takedown of massive charity robocall operation

March 5, 2021
Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
Internet Security

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

March 5, 2021
With its acquisition of Auth0, Okta goes all in on CIAM
Internet Security

With its acquisition of Auth0, Okta goes all in on CIAM

March 5, 2021
Singapore Airlines frequent flyer members hit in third-party data security breach
Internet Security

Singapore Airlines frequent flyer members hit in third-party data security breach

March 5, 2021
Next Post
Messaging channels are surging: Monday’s daily brief

Messaging channels are surging: Monday's daily brief

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

FTC joins 38 states in takedown of massive charity robocall operation
Internet Security

FTC joins 38 states in takedown of massive charity robocall operation

March 5, 2021
Google Cloud Certifications — Get Prep Courses and Practice Tests at 95% Discount
Internet Privacy

Google Cloud Certifications — Get Prep Courses and Practice Tests at 95% Discount

March 5, 2021
Three Finalists Selected in $4.5 Million Watson AI XPrize Competition  
Artificial Intelligence

Three Finalists Selected in $4.5 Million Watson AI XPrize Competition  

March 5, 2021
How to Boost Machine Learning in Healthcare Market Compound Annual Growth Rate (CAGR)? – KSU
Machine Learning

How to Boost Machine Learning in Healthcare Market Compound Annual Growth Rate (CAGR)? – KSU

March 5, 2021
Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
How to Meet the Enterprise-Grade Challenge of Scaling AI 
Artificial Intelligence

How to Meet the Enterprise-Grade Challenge of Scaling AI 

March 5, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • FTC joins 38 states in takedown of massive charity robocall operation March 5, 2021
  • Google Cloud Certifications — Get Prep Courses and Practice Tests at 95% Discount March 5, 2021
  • Three Finalists Selected in $4.5 Million Watson AI XPrize Competition   March 5, 2021
  • How to Boost Machine Learning in Healthcare Market Compound Annual Growth Rate (CAGR)? – KSU March 5, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates