| Package | pypy |
|---|---|
| Version | 5.6.0+dfsg-4+deb9u1 (stretch) |
| Related CVEs | CVE-2014-7185 CVE-2015-20107 CVE-2018-1060 CVE-2018-1061 CVE-2018-20852 CVE-2018-1000802 CVE-2019-9636 CVE-2019-9948 CVE-2019-16056 CVE-2019-16935 CVE-2019-20907 CVE-2020-8492 CVE-2020-26116 CVE-2020-29651 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061 CVE-2022-48565 CVE-2022-48566 CVE-2023-40217 CVE-2024-0450 |
Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.
All fixed vulnerabilities come from embedded code copies.
For vulnerabilities from the python2.7 standard library, please refer to:
One vulnerability comes from internal python2.7 C code copy, Pypy is only affected when making use of the compatibility layer for Python C extension (cpyext):
-
CVE-2014-7185
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.
The remaining minor vulnerability comes from a python-pi embedded copy. We believe it is not exploitable, as the bundled py module is only used during package build, but it is included for consistency with pypy3 DLA-3966-1:
-
CVE-2020-29651
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
For Debian 9 stretch, these problems have been fixed in version 5.6.0+dfsg-4+deb9u1.
We recommend that you upgrade your pypy packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.