Bug 1205244 (CVE-2022-45061) - VUL-0: CVE-2022-45061: python39,python3,python310,python36,python,python27: quadratic time IDNA decoding
Summary: VUL-0: CVE-2022-45061: python39,python3,python310,python36,python,python27: q...
Status: RESOLVED FIXED
Alias: CVE-2022-45061
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/347485/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-45061:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-09 14:16 UTC by Carlos López
Modified: 2024-06-13 15:44 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-09 14:16:58 UTC 
CVE-2022-45061

An issue was discovered in Python before 3.11.1. An unnecessary quadratic
algorithm exists in one path when processing some inputs to the IDNA (RFC 3490)
decoder, such that a crafted, unreasonably long name being presented to the
decoder could lead to a CPU denial of service. Hostnames are often supplied by
remote servers that could be controlled by a malicious actor; in such a
scenario, they could trigger excessive CPU consumption on the client attempting
to make use of an attacker-supplied supposed hostname. For example, the attack
payload could be placed in the Location header of an HTTP response with status
code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45061
https://www.cve.org/CVERecord?id=CVE-2022-45061
https://github.com/python/cpython/issues/98433
Comment 1 Carlos López 2022-11-09 14:42:10 UTC 
This affects all Python versions it seems
Comment 2 OBSbugzilla Bot 2022-11-09 23:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1034962 Factory / python310
https://build.opensuse.org/request/show/1034963 Factory / python311
https://build.opensuse.org/request/show/1034964 Factory / python38
Comment 4 OBSbugzilla Bot 2022-11-10 01:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1034968 Factory / python39
https://build.opensuse.org/request/show/1034969 Factory / python
Comment 5 OBSbugzilla Bot 2022-11-10 17:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1035107 Factory / python
Comment 8 Swamp Workflow Management 2022-11-15 20:34:46 UTC 
SUSE-SU-2022:4004-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1204886,1205244
CVE References: CVE-2022-42919,CVE-2022-45061
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python310-3.10.8-150400.4.15.1, python310-core-3.10.8-150400.4.15.1, python310-documentation-3.10.8-150400.4.15.1
SUSE Linux Enterprise Module for Python3 15-SP4 (src):    python310-3.10.8-150400.4.15.1, python310-core-3.10.8-150400.4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-18 17:24:42 UTC 
SUSE-SU-2022:4071-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1204886,1205244
CVE References: CVE-2022-42919,CVE-2022-45061
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1, python39-documentation-3.9.15-150300.4.21.1
openSUSE Leap 15.3 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1, python39-documentation-3.9.15-150300.4.21.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python39-core-3.9.15-150300.4.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python39-3.9.15-150300.4.21.1, python39-core-3.9.15-150300.4.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Matej Cepl 2022-11-23 00:54:32 UTC 
I believe this is all done. Am I right?
Comment 13 Swamp Workflow Management 2022-11-28 14:29:44 UTC 
SUSE-SU-2022:4251-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1203125,1205244
CVE References: CVE-2020-10735,CVE-2022-45061
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.102.2, python3-base-3.4.10-25.102.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-11-28 20:25:16 UTC 
SUSE-SU-2022:4258-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Manager Retail Branch Server 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Manager Proxy 4.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server for SAP 15 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Server 15-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise Micro 5.1 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Enterprise Storage 7 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE Enterprise Storage 6 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1
SUSE CaaS Platform 4.0 (src):    python3-3.6.15-150000.3.119.1, python3-core-3.6.15-150000.3.119.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-11-29 17:42:32 UTC 
SUSE-SU-2022:4275-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1202666,1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE OpenStack Cloud 9 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-33.17.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python-2.7.18-33.17.1, python-base-2.7.18-33.17.1, python-doc-2.7.18-33.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 khanh vu 2023-01-09 03:52:24 UTC 
Hi,

Will we have a fix for python3 in SUSE Linux Enterprise Server 15 SP4?

BRs/KhanhVu
Comment 19 Swamp Workflow Management 2023-01-30 20:20:09 UTC 
SUSE-SU-2023:0213-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1202666,1205244
CVE References: CVE-2022-45061
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.18-28.93.1, python-base-2.7.18-28.93.1, python-doc-2.7.18-28.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 khanh vu 2023-02-21 07:06:01 UTC 
According to the CVE site, we already have a fix for python3 in SLES15-SP4, but I can't find any fix for this CVE in the latest python3 version. Can you please help me check it?

BRs/KhanhVu
Comment 21 Carlos López 2023-02-21 08:23:57 UTC 
(In reply to khanh vu from comment #20)
> According to the CVE site, we already have a fix for python3 in SLES15-SP4,
> but I can't find any fix for this CVE in the latest python3 version. Can you
> please help me check it?
> 
> BRs/KhanhVu

I'm afraid that information is wrong, I've just updated it.

@Matej as far as I can tell we are still missing:
- SUSE:SLE-11-SP1:Update:Teradata/python27
- SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36
- SUSE:SLE-12-SP5:Update/python36
- SUSE:SLE-15-SP3:Update/python3
Comment 22 Matej Cepl 2023-02-22 22:44:35 UTC 
I believe it is done.
Comment 24 khanh vu 2023-02-23 06:53:22 UTC 
Hi Matej Cepl,

Could you please share me which SUSE-SU includes the Python3 fix in SLES15-SP4?
CVE-2022-45061 is not listed in the changelog of latest Python3 version.

BRs/KhanhVu
Comment 25 Carlos López 2023-02-23 08:25:45 UTC 
(In reply to khanh vu from comment #24)
> Hi Matej Cepl,
> 
> Could you please share me which SUSE-SU includes the Python3 fix in
> SLES15-SP4?
> CVE-2022-45061 is not listed in the changelog of latest Python3 version.
> 
> BRs/KhanhVu

This was submitted yesterday, so it is still in QA.
Comment 26 khanh vu 2023-02-24 02:19:52 UTC 
Thank Carlos López,

According to https://www.suse.com/security/cve/CVE-2022-45061.html, the status of SLES15-SP4 has changed.

BRs/KhanhVu
Comment 27 Maintenance Automation 2023-02-27 20:30:06 UTC 
SUSE-SU-2023:0549-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1205244, 1208443
CVE References: CVE-2022-45061
Sources used:
openSUSE Leap Micro 5.3 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
openSUSE Leap 15.4 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1, python3-documentation-3.6.15-150300.10.40.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
Basesystem Module 15-SP4 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
Development Tools Module 15-SP4 (src): python3-core-3.6.15-150300.10.40.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.40.1, python3-core-3.6.15-150300.10.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2023-03-03 16:30:03 UTC 
SUSE-SU-2023:0616-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1188607, 1205244, 1208443
CVE References: CVE-2022-45061
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-37.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-37.1, python36-3.6.15-37.1
SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-37.1, python36-3.6.15-37.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-37.1, python36-3.6.15-37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Maintenance Automation 2023-03-14 16:30:07 UTC 
SUSE-SU-2023:0724-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1202666, 1205244, 1208471
CVE References: CVE-2022-45061, CVE-2023-24329
Sources used:
openSUSE Leap 15.4 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1, python-doc-2.7.18-150000.48.1
SUSE Package Hub 15 15-SP4 (src): python-base-2.7.18-150000.48.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Manager Proxy 4.2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Manager Retail Branch Server 4.2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Manager Server 4.2 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Enterprise Storage 7.1 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE Enterprise Storage 7 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1
SUSE CaaS Platform 4.0 (src): python-base-2.7.18-150000.48.1, python-2.7.18-150000.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 OBSbugzilla Bot 2023-05-25 00:36:30 UTC 
This is an autogenerated message for OBS integration:
This bug (1205244) was mentioned in
https://build.opensuse.org/request/show/1088922 Factory / python
Comment 49 Daniel Garcia 2024-02-08 18:44:13 UTC 
Looks like this is fixed now for all codestream, anything else to reassign this to security-team?
Comment 50 Carlos López 2024-02-22 14:39:26 UTC 
Done, closing.