The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. References: https://bugs.python.org/issue43075 https://github.com/python/cpython/pull/24391
Flaw summary: Class AbstractBasicAuthHandler in Python's Lib/urllib/request.py uses a regex pattern `([^ \t]+)` in handling of the HTTP Basic Access Authentication Scheme[1]. This pattern allows for a quadratic time complexity ReDoS to occur when a crafted payload is processed. This flaw is similar to BZ#1809065 but the underlying cause is different; the portion of regex that creates the flaw is different, and the triggering payload is different. 1. https://datatracker.ietf.org/doc/html/rfc2617#section-2
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2000683] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2000681] Created python3.5 tracking bugs for this issue: Affects: fedora-all [bug 2000685] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2000686] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2000687] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2000684] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2000688] Created python34 tracking bugs for this issue: Affects: epel-7 [bug 2000682]
Todd, what is the purpose of opening the Fedora bugzillas when we already have the fixed versions?
In reply to comment #10: > Todd, what is the purpose of opening the Fedora bugzillas when we already > have the fixed versions? We usually open them mostly for tracking purposes AFAIK. Typically they are opened immediately when each flaw is filed, but in this case, they didn't get opened right away. Sorry for the delay there - had to work out a kink with the PSModules for Fedora with the Incoming team.
> We usually open them mostly for tracking purposes AFAIK. Do you know who requires this tracking, and why? If they're really necessary, can you close them after opening?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4057 https://access.redhat.com/errata/RHSA-2021:4057
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3733
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821