An update for python3 is now available for openEuler-22.03-LTS-SP3
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2024-2191
Final
1.0
1.0
2024-09-27
Initial
2024-09-27
2024-09-27
openEuler SA Tool V1.0
2024-09-27
python3 security update
An update for python3 is now available for openEuler-22.03-LTS-SP3
Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.
Security Fix(es):
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
(CVE-2023-6597)
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
(CVE-2024-0450)
There is a MEDIUM severity vulnerability affecting CPython.
The
“socket” module provides a pure-Python fallback to the
socket.socketpair() function for platforms that don’t support AF_UNIX,
such as Windows. This pure-Python implementation uses AF_INET or
AF_INET6 to create a local connected pair of sockets. The connection
between the two sockets was not verified before passing the two sockets
back to the user, which leaves the server socket vulnerable to a
connection race from a malicious local peer.
Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.(CVE-2024-3219)
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.(CVE-2024-6232)
An update for python3 is now available for openEuler-22.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
python3
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2191
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-6597
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-0450
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-3219
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6232
https://nvd.nist.gov/vuln/detail/CVE-2023-6597
https://nvd.nist.gov/vuln/detail/CVE-2024-0450
https://nvd.nist.gov/vuln/detail/CVE-2024-3219
https://nvd.nist.gov/vuln/detail/CVE-2024-6232
openEuler-22.03-LTS-SP3
python3-help-3.9.9-31.oe2203sp3.noarch.rpm
python3-3.9.9-31.oe2203sp3.aarch64.rpm
python3-debug-3.9.9-31.oe2203sp3.aarch64.rpm
python3-debuginfo-3.9.9-31.oe2203sp3.aarch64.rpm
python3-debugsource-3.9.9-31.oe2203sp3.aarch64.rpm
python3-devel-3.9.9-31.oe2203sp3.aarch64.rpm
python3-unversioned-command-3.9.9-31.oe2203sp3.aarch64.rpm
python3-3.9.9-31.oe2203sp3.src.rpm
python3-3.9.9-31.oe2203sp3.x86_64.rpm
python3-debug-3.9.9-31.oe2203sp3.x86_64.rpm
python3-debuginfo-3.9.9-31.oe2203sp3.x86_64.rpm
python3-debugsource-3.9.9-31.oe2203sp3.x86_64.rpm
python3-devel-3.9.9-31.oe2203sp3.x86_64.rpm
python3-unversioned-command-3.9.9-31.oe2203sp3.x86_64.rpm
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
2024-09-27
CVE-2023-6597
openEuler-22.03-LTS-SP3
High
7.8
AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
python3 security update
2024-09-27
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2191
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
2024-09-27
CVE-2024-0450
openEuler-22.03-LTS-SP3
Medium
6.2
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
python3 security update
2024-09-27
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2191
There is a MEDIUM severity vulnerability affecting CPython.
The
“socket” module provides a pure-Python fallback to the
socket.socketpair() function for platforms that don’t support AF_UNIX,
such as Windows. This pure-Python implementation uses AF_INET or
AF_INET6 to create a local connected pair of sockets. The connection
between the two sockets was not verified before passing the two sockets
back to the user, which leaves the server socket vulnerable to a
connection race from a malicious local peer.
Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
2024-09-27
CVE-2024-3219
openEuler-22.03-LTS-SP3
Low
2.1
None
python3 security update
2024-09-27
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2191
There is a MEDIUM severity vulnerability affecting CPython.Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
2024-09-27
CVE-2024-6232
openEuler-22.03-LTS-SP3
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
python3 security update
2024-09-27
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2191