HIGH 7.5

PYSEC-2024-155

상세

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / cbor2

최초 영향 버전: 0 수정 버전: 387755eacf0be35591a478d3c67fe10618a6d542

수정 pip install --upgrade 'cbor2>=387755eacf0be35591a478d3c67fe10618a6d542'

참고

https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m [ADVISORY]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ [ARTICLE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ [ARTICLE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ [ARTICLE]
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m [EVIDENCE]
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 [FIX]
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df [FIX]
https://github.com/agronholm/cbor2/pull/204 [REPORT]
https://github.com/agronholm/cbor2/releases/tag/5.6.2 [WEB]
https://github.com/advisories/GHSA-375g-39jq-vq7m [ADVISORY]