python3.11-3.11.2-2.el8.2

エラータID: AXSA:2023-6479:04

Release date: 
Monday, October 9, 2023 - 15:05
Subject: 
python3.11-3.11.2-2.el8.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries.

Security Fix(es):

* python: TLS handshake bypass (CVE-2023-40217)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Solution: 

Update packages.

CVEs: 
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Additional Info: 

N/A

Download: 

SRPMS
  1. python3.11-3.11.2-2.el8.2.src.rpm
    MD5: 5531abb388d3435571a6ddc463b19824
    SHA-256: 976ae86761b45c2a18a6a9ba531ca77b42d790753ad131f8f1f03436d720b1f6
    Size: 19.04 MB

Asianux Server 8 for x86_64
  1. python3.11-3.11.2-2.el8.2.i686.rpm
    MD5: b71e5a744f1835d60b68c219d91d31cf
    SHA-256: 2b04bfc3eba7ffe5982178ac7d94850525ec83d6ddf61720edb65c3e3eb18603
    Size: 28.98 kB
  2. python3.11-3.11.2-2.el8.2.x86_64.rpm
    MD5: 3665141c038fd568ad9a56f31b30cae4
    SHA-256: 96c8be48b6beffc5005f5d003ecd172de7f9a9238c9118227b5e734d16e9ea3c
    Size: 28.89 kB
  3. python3.11-debug-3.11.2-2.el8.2.i686.rpm
    MD5: 99fb0d94b5b570ecb72e111153d5db65
    SHA-256: 3473eed3a034827026834da22343bef0aa460bec24b60dc77f3a8a1a4da71f5c
    Size: 3.18 MB
  4. python3.11-debug-3.11.2-2.el8.2.x86_64.rpm
    MD5: 39d06a805f4118ced8c4ccde09b96ec9
    SHA-256: 0d4ffc09dd06b4306c401d376577026916b37662f3a291bb5a428fb284dadf8b
    Size: 3.32 MB
  5. python3.11-devel-3.11.2-2.el8.2.i686.rpm
    MD5: 16d7fda6aebb0c686d5dac5342023fdd
    SHA-256: 4add911b477fb613a4f5308c5fbe181c2eae63a974c407e3b21881e8be8a4ba9
    Size: 246.13 kB
  6. python3.11-devel-3.11.2-2.el8.2.x86_64.rpm
    MD5: 8a4be20f1aff3ef3b3f28f5a5769ec0c
    SHA-256: da8f0427048230432964717e4253de566d478287cc38a27d45dc5d114ae124f2
    Size: 246.09 kB
  7. python3.11-idle-3.11.2-2.el8.2.i686.rpm
    MD5: b2c10589a4a6bb7e01f76ece5b129d8a
    SHA-256: 2f758263b9714d7ab3ed5e7cf6be92efd258b28adf9b17f2eabeec4b8ad98036
    Size: 1.30 MB
  8. python3.11-idle-3.11.2-2.el8.2.x86_64.rpm
    MD5: 1b85fed79503201c63c606768365fdb0
    SHA-256: c571ac266d2bfc688678139498d73e99b64be2afbbd01e7a224b5f37f717b94a
    Size: 1.30 MB
  9. python3.11-libs-3.11.2-2.el8.2.i686.rpm
    MD5: 682f40530d228275e2c5a878bc497493
    SHA-256: bc27abde60ab7a98c906cc54f49fc7b227ba47239a4194c8edac63e81e319f3a
    Size: 10.45 MB
  10. python3.11-libs-3.11.2-2.el8.2.x86_64.rpm
    MD5: 39a78ae63b046da683d224ed2423abb1
    SHA-256: cb32c8bf0f3a1915d2d568c9ef7680bb359b1dc6c005cbad750fa3f051b59866
    Size: 10.35 MB
  11. python3.11-rpm-macros-3.11.2-2.el8.2.noarch.rpm
    MD5: 7cb32384ff591ea36ec2cc7803a3e767
    SHA-256: a6a6c4d11de1ded1e70cf06c92d239a8713399ed371c6eae12cbbbbd633cdfc9
    Size: 11.09 kB
  12. python3.11-test-3.11.2-2.el8.2.i686.rpm
    MD5: cab97bc80ac8660b03386f1b65a09786
    SHA-256: a009cef97937e7c289e073014e579f50f05abdd38bc5e8d226333e99e34bda74
    Size: 14.94 MB
  13. python3.11-test-3.11.2-2.el8.2.x86_64.rpm
    MD5: a507940d8e9cfb1e7e53ce2f53f52a83
    SHA-256: bf43d4d928ec4e173b75735d09c88ee19959ce542002423118f427b7c634d8ab
    Size: 14.94 MB
  14. python3.11-tkinter-3.11.2-2.el8.2.i686.rpm
    MD5: 4150386c790eca8979b13c3c3844be75
    SHA-256: 89fb1b8df339e4e7e055aa22abf902a9ed24ba4830c75394527a2fe55d6c5d22
    Size: 407.50 kB
  15. python3.11-tkinter-3.11.2-2.el8.2.x86_64.rpm
    MD5: 0bb53767d7ce6d1a3c2f3d7a958b3c14
    SHA-256: 3c7d59570bf1768164e9e9484244e0fb04cf1fa4623087a6dd9a9ee1822522c2
    Size: 406.09 kB