python3.9-3.9.16-1.el9.2

エラータID: AXSA:2023-6477:04

Release date: 
Monday, October 9, 2023 - 13:43
Subject: 
python3.9-3.9.16-1.el9.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: TLS handshake bypass (CVE-2023-40217)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Solution: 

Update packages.

CVEs: 
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Additional Info: 

N/A

Download: 

SRPMS
  1. python3.9-3.9.16-1.el9.2.src.rpm
    MD5: 2be18d77b163598172e01d4e591cc95a
    SHA-256: e9adc8226761c37d9265cebd57f7089fe091a627b80b1f3d93b8d674a4c9de13
    Size: 19.42 MB

Asianux Server 9 for x86_64
  1. python3-3.9.16-1.el9.2.i686.rpm
    MD5: daba3e45351a6608e74de8b8927a77f8
    SHA-256: 4769223f11f1a2c9844c61b2b938db09c7158403d4e98e36411c83530c2742f3
    Size: 25.00 kB
  2. python3-3.9.16-1.el9.2.x86_64.rpm
    MD5: f33a2d743631226a2583806829b478f7
    SHA-256: 37a1b80db7733196f86484208f53718f895c5cc4a5e5828a8245ebbb6883fa2a
    Size: 24.93 kB
  3. python3-debug-3.9.16-1.el9.2.i686.rpm
    MD5: 9a5b6ff31b7ab910dba877d2c9c8b718
    SHA-256: 8771f41d38cb5bce5862ac2075744de89d62ab45bb9934385318afa9461ffae0
    Size: 2.82 MB
  4. python3-debug-3.9.16-1.el9.2.x86_64.rpm
    MD5: 0aef554d3fe5447d0ea148d8c9b8191e
    SHA-256: df923c262fcf6ce212736efc42b826607920e8802f739d3644e70b1205a087f1
    Size: 2.98 MB
  5. python3-devel-3.9.16-1.el9.2.i686.rpm
    MD5: 76103f635da3abad928c3a3d16ebeb34
    SHA-256: 6e61d6a8d682d354130cee42f804897f716b6457e2e6dac640cbfc1fa007be1a
    Size: 204.48 kB
  6. python3-devel-3.9.16-1.el9.2.x86_64.rpm
    MD5: d0b7145b6de17c36039327d66d9d2d7f
    SHA-256: dd9e45b8972d9aa23e38bd5ff09932a8b8c2217dd772ce7045c065f3a737d77a
    Size: 204.43 kB
  7. python3-idle-3.9.16-1.el9.2.i686.rpm
    MD5: 6a21063632b4f33f49642b4b477ffe89
    SHA-256: 58bfa62c0f01e61153bd346ba0aac991b0000d100f5d843526f38c86c3f48c3e
    Size: 769.40 kB
  8. python3-idle-3.9.16-1.el9.2.x86_64.rpm
    MD5: ea76bf152642e9320c6cfab17bcff13a
    SHA-256: b5ee66a1e8efe5a496b28fa5d7e7a4108c4517dace87208aebfab0670e29c649
    Size: 769.40 kB
  9. python3-libs-3.9.16-1.el9.2.i686.rpm
    MD5: 96dfabe6edfa731623d2813036190e9c
    SHA-256: 197351e8cc68ade8bff289888cd6ffaf8c691cf4a868d1a06c4dcbdd95ad27a0
    Size: 7.36 MB
  10. python3-libs-3.9.16-1.el9.2.x86_64.rpm
    MD5: d754d2e6945252a09708f34fd2cc6437
    SHA-256: ead6e3faeaef296c4491c52aa19f6ec99669ff8f5f1f0838c26842a75409af73
    Size: 7.28 MB
  11. python3-test-3.9.16-1.el9.2.i686.rpm
    MD5: 739e25234a54938a5f8c470b74d37015
    SHA-256: 648ca7f12b53aac55a2b8d19f2544728cb4d0f9798e741e9fe4a26513c8e2e59
    Size: 9.27 MB
  12. python3-test-3.9.16-1.el9.2.x86_64.rpm
    MD5: 400e6700c4827f248a430aa64e56d291
    SHA-256: ecbff042eecfac958ab1832625c6fc5a251ac432850be2c53a827fa0614b399b
    Size: 9.26 MB
  13. python3-tkinter-3.9.16-1.el9.2.i686.rpm
    MD5: 6e1e9e92ae712ed96a737c5e1f19e520
    SHA-256: 5a5b0c02593db65ad2cff5af5dbca9328ca5e8415fdce0fd7d417874bfaa8950
    Size: 309.39 kB
  14. python3-tkinter-3.9.16-1.el9.2.x86_64.rpm
    MD5: 1d704b465a12f776e8c59ee44086fa5b
    SHA-256: 3414e153f102bad822972da539e55547a204bcfbbea1c68eccf09c58169da645
    Size: 307.82 kB
  15. python-unversioned-command-3.9.16-1.el9.2.noarch.rpm
    MD5: 17b9ea73d2e4614310915ab6783ecf0f
    SHA-256: 2983705184615d770024295cbafe017d3d031cb0a82d95f2b30dd4a22b87d22f
    Size: 8.53 kB