Описание
pycares is a Python module which provides an interface to c-ares. c-ares is a C library that performs DNS requests and name resolutions asynchronously. Prior to version 4.9.0, pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism.
A flaw was found in pycares. A use-after-free condition arises when a Channel object is garbage collected while associated DNS queries remain pending, leading to a fatal Python error and interpreter crash. This vulnerability allows a local attacker to trigger the crash by initiating DNS queries and then manipulating the object lifetime. This condition causes a denial of service resulting from interpreter termination.
Меры по смягчению последствий
To mitigate this flaw avoid creating Channel objects per-request.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | automation-controller | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python3.11-pycares | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python3x-pycares | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python-pycares | Not affected | ||
| Red Hat Satellite 6 | python-pycares | Not affected | ||
| Red Hat Satellite 6 | satellite-capsule:el8/python-pycares | Not affected | ||
| Red Hat Satellite 6 | satellite:el8/python-pycares | Not affected | ||
| Red Hat Update Infrastructure 4 for Cloud Providers | python-pycares | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
pycares is a Python module which provides an interface to c-ares. c-ares is a C library that performs DNS requests and name resolutions asynchronously. Prior to version 4.9.0, pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism.
pycares is a Python module which provides an interface to c-ares. c-ares is a C library that performs DNS requests and name resolutions asynchronously. Prior to version 4.9.0, pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism.
pycares is a Python module which provides an interface to c-ares. c-ar ...
5.5 Medium
CVSS3