Thursday, September 26, 2024

[USN-7040-1] ConfigObj vulnerability

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEcxdv4gCCE8W9nrt5a1+PL+d1/EgFAmb1rQoFAwAAAAAACgkQa1+PL+d1/EhQ
5wwAjLp0r/su7ZZ1MkKKT5XAOE+BqzIAtBYQFD80aZ6VCWeoYsgxooi0R4sANYnj05FWkYzDFEz0
u9Peu895CrildrB1b+9pJ/8fxtWcXz0YhwBomclyO9Wtb1w5PFTWeQJCvK8F3Gk3SpanRxJceBmK
Gg1uO5OnY2Yuzp50jrPnDNglqpiPXEnDB578u/zdtjDUkVtHxIMU2fciHoNkqStuBuINmsc/bbi9
YD6+xdDwszUmhf+J3wTJw88w5Uby+3Jv6LMcXv907fERUqgptahMVsKtttWusMtbig6HnMoNIWhW
wW/On0c9afA65VtF5QGQlClyDCsCrlEsIJ7DpBJPZxdpAgj3ARflNwLTAm9N45yz8yppwptS5LrB
WYYIdfuBdn5HPvflcRqyZjUl9y15f9k+FCEN412ZuK8RS95h6MJl3newWAh9BDhgemBuVngESk8H
2ycywhcDklm/XTY4OTqtijhb6y0rLErHCxWIZfUH7nAwpPXbDcGi7x8B0uXr
=14yw
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7040-1
September 26, 2024

configobj vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

ConfigObj could be made to crash if it received specially crafted input.

Software Description:
- configobj: simple but powerful config file reader and writer for Python

Details:

It was discovered that ConfigObj contains regex that is susceptible to
catastrophic backtracking. An attacker could possibly use this issue to
cause a regular expression denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  python3-configobj               5.0.6-5ubuntu0.1

Ubuntu 20.04 LTS
  python3-configobj               5.0.6-4ubuntu0.1

Ubuntu 18.04 LTS
  python-configobj                5.0.6-2ubuntu0.18.04.1~esm1
                                  Available with Ubuntu Pro
  python3-configobj               5.0.6-2ubuntu0.18.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  python-configobj                5.0.6-2ubuntu0.16.04.1~esm1
                                  Available with Ubuntu Pro
  python3-configobj               5.0.6-2ubuntu0.16.04.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7040-1
  CVE-2023-26112

Package Information:
  https://launchpad.net/ubuntu/+source/configobj/5.0.6-5ubuntu0.1
  https://launchpad.net/ubuntu/+source/configobj/5.0.6-4ubuntu0.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)