Bug 2044615 (CVE-2021-46823)
Summary: | CVE-2021-46823 python-ldap: Regular expression denial of service in LDAP schema parser | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abokovoy, adudiak, apevec, aviso, bcoca, bdettelb, caillon+fedoraproject, cheimes, cmeyers, davidn, dbecker, gblomqui, jcammara, jhardy, jjoyce, jobarker, jschluet, karlthered, lhh, lpeer, mabashia, mburns, m.cyprian, notting, osapryki, python-sig, relrod, rhos-maint, rpetrell, rstrode, sandmann, sclewis, sdoran, slinaber, smcdonal, spichugi, stcannon, tfister, tkuratom, vanmeeuwen+fedora |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-ldap 3.4.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in python-ldap. The vulnerability occurs due to a regular expression and leads to a denial of service attack. This flaw allows an attacker to parse LDAP schema definitions from an untrusted source, leading to a crash or code execution.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2046511, 2046512, 2051813, 2051814, 2051815, 2051816, 2051817, 2051819 | ||
Bug Blocks: | 2044617 |
Description
Pedro Sampaio
2022-01-24 20:09:09 UTC
while flaw is present in AAP and Ansible Tower, and can be corrected by upgrading to python-ldap 3.4, issue is mitigated due to current input sanitization that occurs in the code. Upstream commits: https://github.com/python-ldap/python-ldap/pull/444/commits Created python-ldap tracking bugs for this issue: Affects: fedora-all [bug 2051816] Created python-ldap3 tracking bugs for this issue: Affects: epel-all [bug 2051817] Affects: fedora-all [bug 2051815] Affects: openstack-rdo [bug 2051813] Why are there bugs against python-ldap3 if the bug is in a different package, python-ldap? They are different projects that do not share a codebase. marking Services notaffected per ./static/#/flaw/2044615#comment3 |