This issue affects all major Python versions, including Python 2.6, 2.7, 3.2, and 3.3. Plus, minimatch has been backported to Python 2.6, 2.7, 3.3, and 3.4. In order to protect yourself against this ReDoS vulnerability, you should upgrade your system Python, or install a version with the patch. If you are using minimatch in production, we recommend contacting support and upgrading your system software. For more information, see this security advisory. CVE-2017-9317 A vulnerability was discovered in the OpenSSL cryptography library. This issue allows a Denial of Service (DoS) due to a missing bounds check on non-zero length inputs. This weakness is triggered when a non-trivial amount of data is passed with a NULL value, which leads to an infinite loop. In order to protect yourself against this vulnerability, you should upgrade your system OpenSSL. For more information, see this security advisory. CVE-2017-3731 A vulnerability was discovered in the PCRE regular expression library. This flaw allows a Denial of Service (DoS) when calling the match function with certain invalid inputs, causing a crash. An attacker can exploit this vulnerability by injecting data into the input with invalid syntax. This weakness is triggered when a non-trivial amount of data is passed with a NULL value, which leads to an infinite loop. In order to protect yourself against this vulnerability
Get the latest Python with the patch
If you are using Python in production, we recommend contacting support and upgrading your system software. For more information, see this security advisory.
Install Anaconda Python 3.4
For all of these vulnerabilities, you should upgrade to the latest version of Python on your system. For more information, see this security advisory.
Installing minimatch on FreeBSD
You can install minimatch from the FreeBSD ports if you are using another platform. For example, to install on FreeBSD-11.0 and later, do the following:
Timeline
Published on: 10/17/2022 20:15:00 UTC
Last modified on: 10/19/2022 17:56:00 UTC