Some concerns about CVE description on Ubuntu?
For some issues mentioned in USN-5342-1: Python vulnerabilities:
David Schwörer discovered that Python incorrectly handled certain
inputs. An attacker could possibly use this issue to expose sensitive
information. This issue only affected Ubuntu 18.04 LTS.
It was discovered that Python incorrectly handled certain FTP
requests. An attacker could possibly use this issue to expose
sensitive information. This issue only affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2021-4189)
It was discovered that Python incorrectly handled certain inputs. An
attacker could possibly use this issue to execute arbitrary code.
Concern: As my understanding, this issue will only affect the versions mentioned in the details, right?
And for USN-5342-2: Python vulnerabilities, the detail section mentions:
USN-5342-1 fixed several vulnerabilities in Python. This update
provides the corresponding update for Ubuntu 14.04 ESM, Ubuntu 20.04
ESM and Ubuntu 22.04 ESM.
Does this mean that the issue only occurs in the versions mentioned in USN-5342-1 and USN-5342-2? Because I couldn’t find any information about Ubuntu 20.04 LTS versions.
For USN-5342-1, only CVE-2022-0391 is relevant for Ubuntu 20.04, which is clear in the description, since it references the packages:
python3.8-minimal - 3.8.10-0ubuntu1~20.04.4 python3.8 - 3.8.10-0ubuntu1~20.04.4
For USN-5342-2, this only relates to Python 2.7, which is also very clear from the description. Since Python 2.7 is not part of the default Ubuntu 20.04 installation, it’s in the Universe repository, which again means that any additional security fixes (except for those done by the community) is only available with an Ubuntu Pro (ESM) subscription.
On Ubuntu 20.04, this means that if you have installed Python 2.7, and do not have an Ubuntu Pro subscription, then those vulnerabilities will exist, until the community backports those security fixes to the Universe repository.
Also see here.