python3-3.6.8-48.el8.1.ML.1

エラータID: AXSA:2023-5156:02

Release date: 
Wednesday, February 22, 2023 - 09:52
Subject: 
python3-3.6.8-48.el8.1.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS (CVE-2020-10735)
* python: open redirection vulnerability in lib/http/server.py may lead to information disclosure (CVE-2021-28861)
* Python: CPU denial of service via inefficient IDNA decoder (CVE-2022-45061)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-10735
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
CVE-2021-28861
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
CVE-2022-45061
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Solution: 

Update packages.

CVEs: 
CVE-2020-10735
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
CVE-2021-28861
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
CVE-2022-45061
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
Additional Info: 

N/A

Download: 

SRPMS
  1. python3-3.6.8-48.el8.1.ML.1.src.rpm
    MD5: 445153d85807fd6ee41ce9cbecb7a601
    SHA-256: 4461bc3b6fd297b632909fad01c46a6254cede6545b0ed715ffa0d4893e94517
    Size: 18.25 MB

Asianux Server 8 for x86_64
  1. platform-python-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: 63605540c87ee9125487de6c7c55912c
    SHA-256: 02a7354a51f4b9b9e714a13569b42f697ca38b80b27e666d66e5e1ccac93ce4b
    Size: 85.09 kB
  2. platform-python-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: 6bc63dcec65be91be52c10acb47b6078
    SHA-256: dba5badc1c8c3c63b925380204326b23ccd9eac4123d4b78a3dcd0b11f0b82d4
    Size: 85.16 kB
  3. platform-python-debug-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: c4793fe6a1e656c259ee1e3fd6312c5f
    SHA-256: 57427fe5a58ac87442fc1baaccacf9678ec8b94e0e14dd4db66d8f4a965c0d33
    Size: 2.73 MB
  4. platform-python-debug-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: c5d8fc5ea84d977aba80227f87a9efa8
    SHA-256: b36c81719d6f40c04de4e6a8352b60a67c4c6da998767060e93ae99b4959e2eb
    Size: 2.69 MB
  5. platform-python-devel-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: 362a02e42354cdd90f50d81d63f43af5
    SHA-256: a1322b2bdd2c277b33aa78e83c9e2d8b743334cdb634a5d68b996736567d6190
    Size: 249.59 kB
  6. platform-python-devel-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: 5dc8c7f44f6e4f5e595d4d79a8dd660d
    SHA-256: 3b44d9a71fc6e78a7908ada9c94ca1967265ef70215df598b1a8a62f3682f595
    Size: 250.34 kB
  7. python3-idle-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: e91ee4407079a06f1fb2fc3a20938bea
    SHA-256: 9d6ff193e002002f21fb54afafeee79eea9ef04fad97ca712b0552bb454e2dbe
    Size: 826.55 kB
  8. python3-idle-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: 56eee854a7d38c7702b9ee701dcca3e3
    SHA-256: c42d9831f73e35e47fbc3dc9b680b4af4e9c4b1789103d73ff5a051e2cc153e0
    Size: 826.56 kB
  9. python3-libs-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: 4f453db6c540db8c4945a2fb4c5e48fd
    SHA-256: 4583baf63ee4d494be50170d6ee9af7e8860163e84d1c7406f244896d9e45d37
    Size: 7.88 MB
  10. python3-libs-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: 3ca06d010992e65cf7c7cf0ee9c7b8de
    SHA-256: b563c2e2aa6325304a6ddb8fa634728a58b936614aaac7cfcaec36f23d09a448
    Size: 7.81 MB
  11. python3-test-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: ab2fc74e4fbd7a2e6c64cfd00bb4f563
    SHA-256: eb073ccb3778b16ef787521d7265fed0d5ca518816df0beab1def55689405ce1
    Size: 8.65 MB
  12. python3-test-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: c74e359f05baf22b9d707fd70eff83db
    SHA-256: de3ef66374f38b661c466c43a7d401c9aa90d9410fe62c349c819b52c0123778
    Size: 8.64 MB
  13. python3-tkinter-3.6.8-48.el8.1.ML.1.i686.rpm
    MD5: ca11179aeabf3e200211985399e273c1
    SHA-256: 2819c5d3fac81339785f2bea89aa62af4ca3965908665ae4c5a74b82fdc6a63b
    Size: 373.37 kB
  14. python3-tkinter-3.6.8-48.el8.1.ML.1.x86_64.rpm
    MD5: a271d6f6b01681a02bcd617980a2d6ab
    SHA-256: d2f7da6cd559f24a10babeafc118e013ad3272b55f1a286df15b81133e562df5
    Size: 371.84 kB