1

For some issues mentioned in USN-5342-1: Python vulnerabilities:

David Schwörer discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2021-3426)

It was discovered that Python incorrectly handled certain FTP requests. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2021-4189)

It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-0391)

Concern: As my understanding, this issue will only affect the versions mentioned in the details, right?

And for USN-5342-2: Python vulnerabilities, the detail section mentions:

USN-5342-1 fixed several vulnerabilities in Python. This update provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 20.04 ESM and Ubuntu 22.04 ESM.

Does this mean that the issue only occurs in the versions mentioned in USN-5342-1 and USN-5342-2? Because I couldn't find any information about Ubuntu 20.04 LTS versions.

Artur Meinild
  • 26,018
Kane
  • 31
  • There are multiple issues involved in these USNs, which issue do you mean to refer to by "this issue" and "the issue"? Some of them affect 20.04 as clearly listed in the USNs. – muru Nov 16 '23 at 08:04
  • In USN-5342-1, CVE-2021-4189 only impacts Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2021-4189). Does this mean it only affects the versions mentioned ?

    And in USN-5342-2, it is fixed in Ubuntu ESM versions, I want to know if CVE-2022-0391 and CVE-2021-4189 impact Ubuntu 20.04 LTS or not.

     – Kane Nov 16 '23 at 08:18
  • 1
    Here, these charts might make it clearer: https://ubuntu.com/security/CVE-2021-4189 and https://ubuntu.com/security/CVE-2022-0391 <- you can see fixes released for Ubuntu 20.04 for ptyhon2.7 and python3.8 in both. – muru Nov 16 '23 at 08:40

1 Answers1

1

For USN-5342-1, only CVE-2022-0391 is relevant for Ubuntu 20.04, which is clear in the description, since it references the packages:

Ubuntu 20.04
python3.8-minimal - 3.8.10-0ubuntu1~20.04.4
python3.8 - 3.8.10-0ubuntu1~20.04.4

For USN-5342-2, this only relates to Python 2.7, which is also very clear from the description. Since Python 2.7 is not part of the default Ubuntu 20.04 installation, it's in the Universe repository, which again means that any additional security fixes (except for those done by the community) is only available with an Ubuntu Pro (ESM) subscription.

On Ubuntu 20.04, this means that if you have installed Python 2.7, and do not have an Ubuntu Pro subscription, then those vulnerabilities will exist, until the community backports those security fixes to the Universe repository.

Also see here.

Artur Meinild
  • 26,018