CVE-2022-48566

Name	CVE-2022-48566
Description	An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3575-1, DLA-3614-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	fixed
	bullseye (security)	7.3.5+dfsg-2+deb11u4	fixed
	bookworm	7.3.11+dfsg-2+deb12u3	fixed
	trixie, sid	7.3.19+dfsg-2	fixed
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	fixed
python3.9 (PTS)	bullseye	3.9.2-1	fixed
	bullseye (security)	3.9.2-1+deb11u3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
pypy3	source	(unstable)	7.3.5+dfsg-2
python2.7	source	buster	2.7.16-2+deb10u3	DLA-3575-1
python2.7	source	bullseye	2.7.18-8+deb11u1
python2.7	source	(unstable)	(unfixed)
python3.7	source	buster	3.7.3-2+deb10u6	DLA-3614-1
python3.7	source	(unstable)	(unfixed)
python3.9	source	(unstable)	3.9.1~rc1-1

Notes

https://bugs.python.org/issue40791
https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781 (v3.9.0b2)
https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb (v3.9.1rc1)
https://github.com/python/cpython/commit/db95802bdfac4d13db3e2a391ec7b9e2f8d92dbe (v3.7.10)
https://github.com/python/cpython/commit/8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a (v3.6.13)
https://github.com/pypy/pypy/commit/5a6b88b9e00053538a4cba1a9b4b92fbe619a33a (release-pypy3.7-v7.3.4rc1)
https://github.com/python/cpython/issues/84968