python3.11-3.11.2-2.el9.2

エラータID: AXSA:2023-6478:03

Release date: 
Wednesday, October 11, 2023 - 01:37
Subject: 
python3.11-3.11.2-2.el9.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries.

Security Fix(es):

* python: TLS handshake bypass (CVE-2023-40217)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Solution: 

Update packages.

CVEs: 
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Additional Info: 

N/A

Download: 

SRPMS
  1. python3.11-3.11.2-2.el9.2.src.rpm
    MD5: bc5b8fa0b6a1fbd5477afb24512af450
    SHA-256: ecf61eb7465d6d723dc20481808628f3681d851538835695414f3fca81d07cc1
    Size: 19.04 MB

Asianux Server 9 for x86_64
  1. python3.11-3.11.2-2.el9.2.i686.rpm
    MD5: a7b4531f7bb1da898f4e37dd5e663db0
    SHA-256: 8a6a04fdc96b752bd1e5e086f0c356591f92dbc462b6fe9d3cd0c249d0662bc6
    Size: 25.59 kB
  2. python3.11-3.11.2-2.el9.2.x86_64.rpm
    MD5: 0045bbfecd4a7baeea35cf5ce09c50bb
    SHA-256: a7a3c8a4b9b77f652ffa6f276188831ca82309da3492809989573f9e505a34d3
    Size: 25.50 kB
  3. python3.11-debug-3.11.2-2.el9.2.i686.rpm
    MD5: a29786e43eb7528365656abe72454e0a
    SHA-256: 2e4994afa496c75d5424fe1deda90cd803ad4bad9666351358be8fea059248b1
    Size: 3.18 MB
  4. python3.11-debug-3.11.2-2.el9.2.x86_64.rpm
    MD5: fe9655bcc0a1908b2e7f81d15c6015f5
    SHA-256: 9ba80ef664e697f0659252777417a4bbab13011da8adec395e61886b260355d1
    Size: 3.33 MB
  5. python3.11-devel-3.11.2-2.el9.2.i686.rpm
    MD5: 0d1eccfb26b44bcea6b033d46791e8ea
    SHA-256: 74fc775be98b743b54909bc339aff9354fcd4b3908f9ceac1b90de498ca6d585
    Size: 232.10 kB
  6. python3.11-devel-3.11.2-2.el9.2.x86_64.rpm
    MD5: 278ce62805b88eeee697b5fc861d28bf
    SHA-256: 4cef3c11dc169066bd93c8dfaf5febb2ce983eb9298a2d3ffe0c0abe9a271c11
    Size: 232.07 kB
  7. python3.11-idle-3.11.2-2.el9.2.i686.rpm
    MD5: bd16f248f8bbda76521c821f2b0d293b
    SHA-256: ff9c729d8149f3de256a119cdf5099d8ba20bc0eaec73dbc4b0b399dfb0dffb5
    Size: 0.96 MB
  8. python3.11-idle-3.11.2-2.el9.2.x86_64.rpm
    MD5: 93fd91777c90e0df7a94fd40bd5050f8
    SHA-256: f6917b9078b31a9852e81b9964149ac94e20d512d5426ab45f952ec777fe9ab5
    Size: 0.96 MB
  9. python3.11-libs-3.11.2-2.el9.2.i686.rpm
    MD5: 485f1b0d547cfe40e7adef21080cb22a
    SHA-256: c59ba4de9f22951763ff5e98e034d113da8a5e17ca8bb5e4107c8653c01cceb6
    Size: 9.35 MB
  10. python3.11-libs-3.11.2-2.el9.2.x86_64.rpm
    MD5: 1a26a4caacca25781c45fa98cdde8781
    SHA-256: 68153bbbd181777084e93b259ccd779ddbacc3d6dcb6e0559ea91b756a5f9ecc
    Size: 9.30 MB
  11. python3.11-test-3.11.2-2.el9.2.i686.rpm
    MD5: 9a1a0e5d242108d2ec19542c910e5976
    SHA-256: 6b5205cb4c5ddbff9baadcb0e63a2d526598b8b15cda2c4f6760706b579e6495
    Size: 13.64 MB
  12. python3.11-test-3.11.2-2.el9.2.x86_64.rpm
    MD5: b0666da75193767bffe3fd7f52df15c4
    SHA-256: 929211b6ca2d8018b4c7c7513f581808cc29965ced0d68f366e577cd65655896
    Size: 13.63 MB
  13. python3.11-tkinter-3.11.2-2.el9.2.i686.rpm
    MD5: 2364cda7e7753610266cc620b9a42c48
    SHA-256: 103e24673738403e3d5309784c7951640f461d5dcbc655693b50431fe280cdce
    Size: 393.38 kB
  14. python3.11-tkinter-3.11.2-2.el9.2.x86_64.rpm
    MD5: e0502c4f420509cd56eed093b377beb5
    SHA-256: f9b7550ce959d3c757cb1746abaa8f4893e7f5b5a6c3beb40fa8a03f3e10b035
    Size: 391.60 kB