Dear all,

you may have heard about a parsing bug/vulnerability in Python's ipaddress module. Only Python version >= 3.8 are affected. The bug affects the handling of addresses in octal notation

The sources below have more details on the error, but in principle it means that the leading zeros of IP address in octal notation are stripped and the rest is parsed decimal. The correct behavior would have been that the numbers starting with zeros are parsed as octal. You can also see the (erroneous) changes in the documentation: https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address ("Changed in version 3.8" and "Changed in version 3.10"). There no fix yet for this bug, but you should receive it soon from your distribution.

As an IntelMQ user, you need to trust your input sources anyway, or check the validity of the collected data. If any feed gives you IP addresses with leading zeros, the outcome may be unexpected.

Further sources:

https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/
https://sick.codes/sick-2021-014/

best regards
Sebastian

-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg