<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450)
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 20 Mar 2024 16:35:37 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993
announces the availability of Python 3.10.14, 3.9.19, and 3.8.19,
including these security fixes (see above URL for links to details on each):
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address
CVE-2023-52425, and control of the new reparse deferral functionality was
exposed with new APIs. Thanks to Sebastian Pipping, the maintainer of
libexpat, who worked with us directly on incorporating those fixes!
- gh-109858 : zipfile is now protected from the “quoted-overlap” zipbomb to
address CVE-2024-0450 . It now raises BadZipFile when attempting to read an
entry that overlaps with another entry or central directory
- gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks
when working around file system permission errors to address CVE-2023-6597
- gh-115197: urllib.request no longer resolves the hostname before checking it
against the system’s proxy bypass list on macOS and Windows
- gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX)
was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit
non-Windows platforms was fixed
- gh-113659: .pth files with names starting with a dot or containing the hidden
file attribute are now skipped
- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of
bounds
- gh-114572 : ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
store, when the ssl.SSLContext is shared across multiple threads
Presumably releases for 3.11 & 3.12 will follow as the announcements of the
two new CVEs listed them as also affected.
https://mail.python.org/archives/list/security-announce () python org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
said:
[CVE-2024-0450] Quoted zip-bomb protection for zipfile
An issue was found in the CPython `zipfile` module affecting versions
3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit
the zip format to create a zip-bomb with a high compression ratio. The fixed
versions of CPython makes the zipfile module reject zip archives which overlap
entries in the archive.
*References*
* CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450
* Patch: https://github.com/python/cpython/pull/110016
* Issue: https://github.com/python/cpython/issues/109858
https://mail.python.org/archives/list/security-announce () python org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
said:
[CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
An issue was found in the CPython `tempfile.TemporaryDirectory` class
affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
The tempfile.TemporaryDirectory class would dereference symlinks during
cleanup of permissions-related errors. This means users which can run
privileged programs are potentially able to modify permissions of files
referenced by symlinks in some circumstances.
*References*
* CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597
* Patch: https://github.com/python/cpython/pull/99930
* Issue: https://github.com/python/cpython/issues/91133
--
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450) Alan Coopersmith (Mar 20)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->