This security advisory addresses 8 critical vulnerabilities discovered in project dependencies. All vulnerabilities have been patched in commit d684396.
DNS Server for ISP versions prior to commit d684396 (2024-01-31)
- Severity: HIGH
- Affected Versions: <= 3.13.2
- Fixed Version: 3.13.3
- Description: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb attacks, which could lead to resource exhaustion.
- Impact: Denial of Service (DoS)
- Severity: HIGH
- Affected Versions: < 3.9.4
- Fixed Version: 3.9.4
- Description: aiohttp is vulnerable to Denial of Service when trying to parse malformed POST requests.
- Impact: Denial of Service (DoS)
- Severity: HIGH
- Affected Versions: >= 1.0.5, < 3.9.2
- Fixed Version: 3.9.2
- Description: aiohttp is vulnerable to directory traversal attacks.
- Impact: Unauthorized file access
- Severity: MEDIUM
- Affected Versions: >= 38.0.0, < 42.0.4
- Fixed Version: 42.0.4
- Description: cryptography has a NULL pointer dereference with
pkcs12.serialize_key_and_certificateswhen called with a non-matching certificate and private key and an hmac_hash override. - Impact: Application crash, potential DoS
- Severity: MEDIUM
- Affected Versions: <= 0.109.0
- Fixed Version: 0.109.1
- Description: FastAPI is vulnerable to Regular Expression Denial of Service (ReDoS) in Content-Type header parsing.
- Impact: Denial of Service (DoS)
- Severity: HIGH
- Affected Versions: < 0.0.22
- Fixed Version: 0.0.22
- Description: Python-Multipart has Arbitrary File Write vulnerability via Non-Default Configuration.
- Impact: Unauthorized file system access
- Severity: MEDIUM
- Affected Versions: < 0.0.18
- Fixed Version: 0.0.18
- Description: Denial of service (DoS) via deformed
multipart/form-databoundary. - Impact: Denial of Service (DoS)
- Severity: MEDIUM
- Affected Versions: <= 0.0.6
- Fixed Version: 0.0.7
- Description: python-multipart is vulnerable to Content-Type Header ReDoS.
- Impact: Denial of Service (DoS)
-
Update Dependencies
cd backend pip install -r requirements.txt --upgrade -
Rebuild Docker Containers
cd docker docker-compose down docker-compose build --no-cache docker-compose up -d -
Verify Installation
pip list | grep -E 'aiohttp|cryptography|fastapi|python-multipart'
aiohttp 3.13.3
cryptography 42.0.4
fastapi 0.109.1
python-multipart 0.0.22
- 2024-01-31 21:00 UTC: Vulnerabilities discovered
- 2024-01-31 21:15 UTC: Dependencies updated
- 2024-01-31 21:20 UTC: Fix committed and pushed
- 2024-01-31 21:25 UTC: Security advisory published
- β System vulnerable to DoS attacks
- β Potential directory traversal
- β Risk of arbitrary file writes
- β Application crash risks
- β All known vulnerabilities resolved
- β DoS attack vectors mitigated
- β File system access secured
- β Application stability improved
All updates have been tested for:
- β Backward compatibility
- β API functionality
- β Docker container builds
- β No breaking changes
- Deploy this update immediately to production
- Monitor application logs for any anomalies
- Review security settings and configurations
- Enable GitHub Dependabot alerts
- Implement automated dependency scanning in CI/CD
- Schedule regular security audits
- Set up automated dependency updates
Enable these features in your repository:
- Dependabot Alerts: Settings β Security β Dependabot alerts
- Dependabot Security Updates: Auto-creates PRs for vulnerabilities
- Code Scanning: GitHub Advanced Security
Monitor your deployment:
# Check application health
curl http://localhost:8000/health
# View recent logs
docker-compose logs --tail=100 backend
# Monitor resource usage
docker statsFor security concerns, please contact:
- Email: security@example.com
- GitHub: Open a security advisory
Thank you to the security researchers and maintainers who identified and patched these vulnerabilities.
Last Updated: 2024-01-31
Severity: HIGH
Status: RESOLVED
Fix Version: commit d684396