Technology Python programming language hurries out update to tackle remote code vulnerability

13:18  23 february  2021
13:18  23 february  2021 Source:   zdnet.com

Got a new Roku this holiday season? Here's how to set it up

  Got a new Roku this holiday season? Here's how to set it up Time to put that new streaming gift to use.To help make sure you have no problems we took out a Streaming Stick Plus, our favorite overall streaming device, to walk you through the process -- which should be basically the same no matter which Roku you're using. Here's how to set up your new Roku.

The Python Software Foundation (PSF) has rushed out Python 3.9.2 and 3.8.8 to address two notable security flaws, including one that is remotely exploitable but in practical terms can only be used to knock a machine offline.

a man using a laptop computer: Developer using laptop and looking worried © Getty Images/iStockphoto

Developer using laptop and looking worried


  • Programming languages: This old favourite tops the charts again
  • Developer jobs: Google’s Go, Redux.js, Google Cloud, and AWS skills will get you the most interviews
  • What is low-code and no-code? A guide to development platforms
  • Best web hosting: Find the right service for your site
  • The best cheap web hosting: Find an affordable service to fit your budget
  • Agile software development in aerospace (ZDNet YouTube)

PSF is urging its legion of Python users to upgrade systems to Python 3.8.8 or 3.9.2, in particular to address the remote code execution (RCE) vulnerability that's tracked as CVE-2021-3177.

Best Smartphones of 2020

  Best Smartphones of 2020 Smartphones are the center of our digital lives. And since you'll likely use your phone more than any other gadget you own, picking the right one to last you through years of use is crucial. © Jacob Krol/CNN Fortunately, we've tested all of the top smartphones released in 2020 to help you make the right call. Here are the ones we found to be the best:Best smartphone overall: iPhone 12 ($799; amazon.com or expercom.com)Runner-up: Galaxy Note 20 Ultra ($1,299; samsung.com)Budget pick: Pixel 4a 5G ($499; amazon.

The project expedited the release after receiving unexpected pressure from some users who were concerned over the security flaw.

SEE: Hiring Kit: Python developer (TechRepublic Premium)

"Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177," said the Python release team.

"This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime," PSF said.

"It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place."

Nick Saban corrected Todd McShay about Alex Leatherwood's draft ranking

  Nick Saban corrected Todd McShay about Alex Leatherwood's draft ranking Star Alabama RB Najee Harris hurdled Notre Dame CB Nick McCloud en route to a 53-yard gain in the 2021 Rose Bowl Game in Arlington, TX.

Python 3.x through to 3.9.1 has a buffer overflow in PyCArg_repr in ctypes/callproc.c, which may lead to remote code execution.

It affects Python applications that "accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param."

The bug occurs because "sprintf" is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.

Various Linux distributions, such as Debian, have been backporting the security patches to ensure the built-in versions of Python are shielded.

The vulnerability is a common memory flaw. Per RedHat, a stack-based buffer overflow in Python's ctypes module improperly validated the input passed to it, "which would allow an attacker to overflow a buffer on the stack and crash the application."

SEE: Developer: Rust programming language is being used for bigger projects

Apple TV: 11 essential tips to master your streaming box

  Apple TV: 11 essential tips to master your streaming box The Apple TV is a seemingly simple device that's gained so many new features over the years. Here's the latest.Even though a new Apple TV is possibly on the horizon, the current Apple TV lineup is worth the investment for Apple fans and users. And once you get the shiny new box setup, there are some things you'll need to learn. For instance, getting around the Siri remote can feel simplistic, but there are some hidden shortcuts that will surely make your life easier.

While a remote code execution vulnerability is bad news, RedHat notes that the "highest threat from this vulnerability is to system availability." In other words, an attacker would likely only be able to pull off a denial of service attack.

"Our understanding is that while the CVE is listed as "remote code execution", practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE," said the PSF.

"To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today," the organization added.

The other flaw is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability by "defaulting the query args separator to &, and allowing the user to choose a custom separator."

Open Source

  • Linux and open-source jobs are hotter than ever
  • Red Hat tunes up RHEL and OpenShift for life on computing's edge
  • Microsoft Defender for Linux adds new security feature
  • The importance of open source AI (ZDNet YouTube)
  • Top five open source Linux server distributions (TechRepublic)

February Patchday: Microsoft closes the zero-day gap in Windows .
© DEFAULT_CREDIT Windows (Image: Microsoft) It allows the unauthorized extension of user rights. There are also three major bugs in the Windows TCP / IP stack. They can be used for denial-of-service attacks. Microsoft published fixes for 56 vulnerabilities in Windows, Office and other products on its monthly patch day. Among them is a zero-day vulnerability in Windows that is already actively being used for attacks. It enables hackers to extend user rights without authorization.

usr: 3
This is interesting!