CVE-2022-21716: 
Python vulnerability analysis and mitigation

Twisted, an event-based framework for internet applications supporting Python 3.6+, was found to contain a vulnerability (CVE-2022-21716) in versions prior to 22.2.0. The vulnerability was discovered in the SSH client and server implementation, where it could accept an infinite amount of data for the peer's SSH version identifier (GitHub Advisory).

The vulnerability exists in the SSH client and server implementation where it naively accepts an unlimited amount of data for the peer's SSH version identifier. This results in a buffer that consumes all available memory. The vulnerability was assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

A successful exploitation of this vulnerability leads to a denial of service condition by consuming all available memory on the target system. The attack can be executed with minimal complexity and requires no special privileges or user interaction (GitHub Advisory).

The vulnerability was patched in Twisted version 22.2.0. Until the patch can be applied, users can mitigate the risk by limiting access to the SSH server only to trusted source IP addresses and connecting over SSH only to trusted destination IP addresses (GitHub Advisory, Debian Advisory).

Multiple Linux distributions and software vendors responded to this vulnerability by releasing security updates, including Debian, Fedora, Oracle, and Gentoo. Debian released version 16.6.0-2+deb9u2 for Debian 9 'Stretch', while Fedora updated to version 22.4.0 (Debian Advisory, Fedora Update).