python3-3.6.8-21.el7

エラータID: AXSA:2023-6570:07

Release date: 
Thursday, November 9, 2023 - 06:54
Subject: 
python3-3.6.8-21.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: TLS handshake bypass (CVE-2023-40217)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Solution: 

Update packages.

CVEs: 
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Additional Info: 

N/A

Download: 

SRPMS
  1. python3-3.6.8-21.el7.src.rpm
    MD5: d0f28e745206e7b4f54f97aa8f89ccb9
    SHA-256: aeeb58cc4379e08ebe23c947f9b641ba480367326a6d83b1b0cee8c6970f71ff
    Size: 16.62 MB

Asianux Server 7 for x86_64
  1. python3-3.6.8-21.el7.i686.rpm
    MD5: f4d03ad0d34ecef6d13524c66d1b1dec
    SHA-256: 3fac3272cf0728364f845889c635fe6fbc4967f532d91b625a99bcf536cdcc9c
    Size: 69.72 kB
  2. python3-3.6.8-21.el7.x86_64.rpm
    MD5: ffaeb63af561a3ead2f2e8866f86ad9e
    SHA-256: 1f115ac46cd96001cc510c86c3010c33896b8693a0460c877521f4607951963e
    Size: 69.65 kB
  3. python3-debug-3.6.8-21.el7.i686.rpm
    MD5: bf8a4bbc81ec5f6fe2f670ad6e103a15
    SHA-256: 6d44a8ce496f94afd06b04be0fdc8e07cc374665bfbf9c0bc6ce4ee3c7180693
    Size: 2.42 MB
  4. python3-debug-3.6.8-21.el7.x86_64.rpm
    MD5: 99ad10ff727b160f49ea6c055936a08c
    SHA-256: e5025b327dd4034e6162a4c5b965bfffdcd3d1e1324c83acc35324eae37d7bc1
    Size: 2.64 MB
  5. python3-devel-3.6.8-21.el7.i686.rpm
    MD5: 04251206c24da733ab1d4618cf79ad2d
    SHA-256: 0876342412322e44cdf4b970498c628178062e0d37fb0e52a5750a1a033610bc
    Size: 216.49 kB
  6. python3-devel-3.6.8-21.el7.x86_64.rpm
    MD5: 24d93d74b7bd5e53b5a04af159b3f010
    SHA-256: 3af21f8deef84cd862ae40eec9422bbdd8eb88605ff8a5d82560a376acfde679
    Size: 216.30 kB
  7. python3-idle-3.6.8-21.el7.i686.rpm
    MD5: 417ee7b7f27bf6d7eea9ac0c55b9c608
    SHA-256: 5ddbb2648722d9570f8aa9471b5955b2f2357203fdcbc2de3c713c5d5b0dee12
    Size: 778.73 kB
  8. python3-idle-3.6.8-21.el7.x86_64.rpm
    MD5: 35d1bb93286913b5e8543191d08f2c9e
    SHA-256: 24b429f697d09d2bf8eacaeff7e4b8a5201abe1759cf54137ff7c829a712bd34
    Size: 778.69 kB
  9. python3-libs-3.6.8-21.el7.i686.rpm
    MD5: 3c38f2e9219a34a329acc7a01f6c3f8a
    SHA-256: cf675b1a3d4f56779bdfa09fda7edcdeb07eabae12c6a57eb1293b3004b27939
    Size: 6.85 MB
  10. python3-libs-3.6.8-21.el7.x86_64.rpm
    MD5: 1c4ccca7f5b565d14fb10f46e032256e
    SHA-256: 3b5c3400757f93b0dc563258cfb06b2463877ef4a19d156e5afd537f5c04f262
    Size: 6.95 MB
  11. python3-test-3.6.8-21.el7.i686.rpm
    MD5: e443628915e1a4d5e1dd4161d1dd7936
    SHA-256: 44af1b66bc0090d29f023b6ef6f437976ebede00a1e4066dadb3b29c15685507
    Size: 7.25 MB
  12. python3-test-3.6.8-21.el7.x86_64.rpm
    MD5: 6017362a9aba66896e435122fa880059
    SHA-256: d506323cb6a4e066632c0186ed8c2c0e8aae37f47af6ef4923b370337740f43e
    Size: 7.25 MB
  13. python3-tkinter-3.6.8-21.el7.i686.rpm
    MD5: a0d27274c8e5b9323d6a009cdcfe33bb
    SHA-256: bb554f9adbbdf6962cc10b2d30243abf2bbada4ca79898b71942982be1aebe5a
    Size: 365.09 kB
  14. python3-tkinter-3.6.8-21.el7.x86_64.rpm
    MD5: 72f5b3ca27496cf5c5168b7d9ef6b96d
    SHA-256: e6794a0f36b8346c9ece4b53a3e60da73b8cabc0ca817abd0240949a5b492501
    Size: 365.05 kB