Kunpeng BoostKit 22.0.RC3.SPC1

DTS: DTS2022081803112

Vulnerability ID: HWPSIRT-2016-13923

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2016-3189. The bzip2 component on which Python 3.9.2 depends has security risks.

Major

Python 3.9.2 used by the product has the CVE-2016-3189 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

On Linux, the bzip2 version is related to the system. During the build, upgrade the bzip2 version.

DTS: DTS2022081502962

Vulnerability ID: HWPSIRT-2022-23306

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2018-25032. The zlib component on which Python 3.9.2 depends has security risks.

Major

Python 3.9.2 used by the product has the CVE-2018-25032 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

On Linux, the zlib version is related to the system. During the build, upgrade the zlib version to 1.2.12.

DTS: DTS2022110705156

Vulnerability ID: HWPSIRT-2022-73587

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2021-28861. Python 3.9.11 has a URL redirection vulnerability. Attackers can construct URLs starting with // to initiate redirection attacks.

Critical

Python 3.9.2 used by the product has the CVE-2021-28861 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2021-28861 vulnerability, the vulnerability has been fixed.

DTS: DTS2022110705156

Vulnerability ID: HWPSIRT-2022-65549

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2020-10735. In Python 3.9.2, there exists quadratic time complexity when a character string with base 10 is converted into digits. The conversion between str and int of a large number of digits may cause DoS attacks. The HAF tool is affected by this vulnerability.

Critical

Python 3.9.2 used by the product has the CVE-2020-10735 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2020-10735 vulnerability, the vulnerability has been fixed.

DTS: DTS2022110705156

Vulnerability ID: HWPSIRT-2019-15459

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2019-12900. Python passively depends on bzip2 1.0.6. This vulnerability is of the same type as CVE-2016-3189.

Critical

Python 3.9.2 used by the product has the CVE-2019-12900 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2019-12900 vulnerability, the vulnerability has been fixed.

DTS: DTS2022110705156

Vulnerability ID: HWPSIRT-2022-65415

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2022-37454. In Python 3.9.2, the SHA-3 reference implementation has an integer overflow and a resultant buffer overflow that allow attackers to execute arbitrary code or eliminate expected cryptographic properties.

Critical

Python 3.9.2 used by the product has the CVE-2022-37454 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2022-37454 vulnerability, the vulnerability has been fixed.

DTS: DTS2022111110225, DTS2022111111115

Vulnerability ID: HWPSIRT-2022-48740

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2022-45061. When Python 3.9.2 processes some inputs to the IDNA decoder, an unnecessary quadratic algorithm exists in one path. As a result, a crafted unreasonably long name being presented to the decoder could lead to a CPU denial of service.

Major

Python 3.9.2 used by the product has the CVE-2022-45061 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2022-45061 vulnerability, the vulnerability has been fixed.

DTS: DTS2022111006811

Vulnerability ID: HWPSIRT-2022-30512

The product involves a security vulnerability in Python 3.9.2. The external CVE number is CVE-2022-42919. Python 3.9.2 allows local privilege escalation in a non-default configuration. When used with the forkserver start method on Linux, Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as.

Major

Python 3.9.2 used by the product has the CVE-2022-42919 vulnerability.

Use the Python software in which this vulnerability has been fixed.

None

Obtain the tag of Python used for version build and compare it with the vulnerability fix list of the tag. If the list contains the CVE-2022-42919 vulnerability, the vulnerability has been fixed.

DTS: DTS2022071306985

Vulnerability ID: HWPSIRT-2022-32170

The KMC streaming encryption and decryption interfaces, including SdpEncryptUpdate, SdpEncryptUpdateEx, SdpDecryptUpdate, SdpDecryptUpdateEx, SdpEncryptFinal, SdpEncryptFinalEx, SdpDecryptFinal, and SdpDecryptFinalEx, have incorrect input parameters. As a result, integer rollover occurs and further memory problems occur in the underlying cryptography library.

Minor

The KMC component has the HWPSIRT-2022-32170 vulnerability.

Use the KMC component in which this vulnerability has been fixed.

None

Obtain the tag of the KMC used for version build and compare it with the vulnerability fix list of the tag. If the list contains the HWPSIRT-2022-32170 vulnerability, the vulnerability has been fixed.