Message 399798 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lukasz.langa
Recipients	Joel Croteau, Julian, achraf-mer, christian.heimes, docs@python, eric.smith, gc2, lukasz.langa, mgorny, miss-islington, ncoghlan, ned.deily, pablogsal, pmoody, python-dev, serhiy.storchaka, steve.dower, vstinner
Date	2021-08-17.22:22:15
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1629238935.66.0.498457040547.issue36384@roundup.psfhosted.org>
In-reply-to

Content
> it prevents using 3.8 because of this open vulnerability What do you mean by this? Our understanding is that this is a low-severity CVE because in order for this to be a vulnerability, you'd have to have both: 1. user access to IP address input; and 2. control over two addresses sharing numerical representation with leading zeroes: the first resolving when leading zeroes are treated as octal numbers; the second resolving when leading zeroes are treated as decimal numbers. Access to both then allows you at best to circumvent IP address-based access control or denial of service. However, access to just 1. allows you to input any IP address to achieve the same goals. Hence low-severity. > it does not seem to be a breaking change It is a bona fide breaking change. Any IP address configuration saved in files or databases which might have used leading zeroes would be rejected by 3.8.12. The same was true for 3.9.5 but since this release series has much higher exposure (still receiving binary installers and regular-cadence bugfixes), it was less controversial to include it. If you still feel this ought to be fixed in 3.8, please elaborate.

> it prevents using 3.8 because of this open vulnerability

What do you mean by this?

Our understanding is that this is a low-severity CVE because in order for this to be a vulnerability, you'd have to have both:

1. user access to IP address input; and
2. control over two addresses sharing numerical representation with leading zeroes: the first resolving when leading zeroes are treated as octal numbers; the second resolving when leading zeroes are treated as decimal numbers.

Access to both then allows you at best to circumvent IP address-based access control or denial of service. However, access to just 1. allows you to input any IP address to achieve the same goals.

Hence low-severity.


> it does not seem to be a breaking change

It is a bona fide breaking change. Any IP address configuration saved in files or databases which might have used leading zeroes would be rejected by 3.8.12. The same was true for 3.9.5 but since this release series has much higher exposure (still receiving binary installers and regular-cadence bugfixes), it was less controversial to include it.


If you still feel this ought to be fixed in 3.8, please elaborate.

History
Date	User	Action	Args
2021-08-17 22:22:15	lukasz.langa	set	recipients: + lukasz.langa, ncoghlan, vstinner, eric.smith, christian.heimes, ned.deily, pmoody, docs@python, mgorny, Julian, python-dev, serhiy.storchaka, steve.dower, pablogsal, miss-islington, Joel Croteau, gc2, achraf-mer
2021-08-17 22:22:15	lukasz.langa	set	messageid: <1629238935.66.0.498457040547.issue36384@roundup.psfhosted.org>
2021-08-17 22:22:15	lukasz.langa	link	issue36384 messages
2021-08-17 22:22:15	lukasz.langa	create