Saturday, June 12, 2021

Python release quick updates to Fix remote code vulnerabilities

Must Read

Brewery Maker Molson Coors suffers cyberattack

Brewing giant Molson Coors revealed on Thursday that he had suffered a "cybersecurity incident" that disrupted the operation and...

DOD’s weapons programs do not have clear cybersecurity guidelines: GAO

The U.S. Defense Department struggles to outline cybersecurity requirements in contracts for weapon systems, though the agency made important...

Python release quick updates to Fix remote code vulnerabilities

The Python Software Foundation (PSF) has rapidly launched Python 3.9.2 and 3.8.8 to address two significant security breaches, including...

The Python Software Foundation (PSF) has rapidly launched Python 3.9.2 and 3.8.8 to address two significant security breaches, including one that is exploited remotely but with active terms that can only be used to hack an offline machine.

The PSF urges its Python users legion to upgrade to Python 3.8.8 or 3.9.2 systems, mainly to deal with remote code (RCE) vulnerabilities followed as CVE-2021-3177.

The project expedited the release after receiving unexpected pressure from other users concerned about the security flaw.

“Since the announcement of the release of 3.9.2 to 3.8.8, we have received many questions from end users who urge us to speed up the final release due to security content, especially CVE-2021-3177,” Python said to release the group.

“This came as a surprise to us because we believed that the content of the security was selected by the lower distributors and the source in any way, and the release of the RC provides for those who are interested in development at the moment,” the PSF said.

“It turns out that the release option is not publicly visible and in most cases cannot be used due to improved processes that users use.”

Python 3.x to 3.9.1 has an overflowing buffer in PyCArg_repr at ctypes / callproc.c, which can lead to remote code usage.

It affects Python programs “that accept floating point numbers as unreliable inputs, as indicated by 1e300 dispute in c_double.from_param.”

The bug occurs because “sprintf” is used unsafely. The impact is vast because Python has been pre-installed while still distributing most of Linux and Windows 10.

Various Linux distributions, such as Debian, have been backed up with security clips to ensure that built-in Python versions are protected.

Vulnerability in python is a standard memory error. According to RedHat, the stack-based buffer overflows with Python’s ctypes module to improperly secure the transmission, “which would allow the attacker to overflow the stack and crash the system.”

While the risk of remote coding is terrible news, RedHat notes that “the highest threat to this system is access to the system.” In other words, the attacker will probably be able to pull off a denial of the app attack.

“Our understanding is that while the CVE is listed as a” remote control code, “the exploitation of this risk is not possible due to the following conditions that need to meet a successful RCE,” the PSF said.

“Certainly, the denial of services using harmful inputs is also a major problem. Therefore, to help members of the community who participated in the by-elections, we are releasing the final versions of 3.9.2 and 3.8.8 today,” the organization added.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video...

What is a Cyber Attack or Virtual Attack

Firstly We Wil Discuss About Cyberattack or we will also say virtual attack. A Cyberattack is a type of attack that will be done...

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on FTP links from within Firefox...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to...

Parking app ParkMobile experiences data breach of 21M Users

The popular mobile app that drivers use to pay and find available public parking in Pittsburgh and in other cities experienced a data breach...

More Articles Like This