Alpine: python3: security update to 3.6.8-r0

critical Tenable Cloud Security Plugin ID 406757

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This
could make it easy to conduct denial of service attacks against Expat by constructing an XML document that
would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU
and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6,
3.4.0 through 3.4.9, 2.7.0 through 2.7.15. (CVE-2018-14647)

- Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is
mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is
only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This
issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1,
v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2,
v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1,
v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1,
v3.7.9. (CVE-2018-20406)

- Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding
(with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials,
cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit,
urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host than when parsed correctly.
This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8,
v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1;
v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1,
v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9636)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-14647

https://security.alpinelinux.org/vuln/CVE-2018-20406

https://security.alpinelinux.org/vuln/CVE-2019-9636

Plugin Details

Severity: Critical

ID: 406757

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.17

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-9636

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/13/2018

Reference Information

CVE: CVE-2018-14647, CVE-2018-20406, CVE-2019-9636

BID: 105396, 106297, 107400

IAVA: 2021-A-0263-S