python3-3.6.8-69.el8_10.ML.1

エラータID: AXSA:2024-9057:07

Release date: 
Tuesday, December 10, 2024 - 11:24
Subject: 
python3-3.6.8-69.el8_10.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language,
which includes modules, classes, exceptions, very high level dynamic data types
and dynamic typing. Python supports interfaces to many system calls and
libraries, as well as to various windowing systems.

Security Fix(es):

python: Virtual environment (venv) activation scripts don't quote paths
(CVE-2024-9287)
python: Improper validation of IPv6 and IPvFuture addresses (CVE-2024-11168)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2024-9287
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Solution: 

Update packages.

CVEs: 
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2024-9287
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. python3-3.6.8-69.el8_10.ML.1.src.rpm
    MD5: f17ee79e503c3fdcd9b1383ff5f71b99
    SHA-256: b42d428d55ddc2f6ada92f44cbddfc1981df2bc73581596ebdebd2e129513dca
    Size: 18.33 MB

Asianux Server 8 for x86_64
  1. platform-python-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 4c4e68b846d04a58b4dac600873b0b6c
    SHA-256: dc3d8a9ee9280ef5f07c1bfc5283654b530190a97001398b832d96662f2a5181
    Size: 87.58 kB
  2. platform-python-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: cd92b0be52a78d3fffe3e77995c6e21f
    SHA-256: 0a20e98796e698227ba324e7552f3b598614c04a1073bdfe1c39bfa8496068c5
    Size: 87.65 kB
  3. platform-python-debug-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 3e29fae81e2995f46b5aa43a526b7ae8
    SHA-256: 3b4a68bb48622468a9fcaccf787c0aea4f31f3562c0ebaec9123cdaf0500ef16
    Size: 2.72 MB
  4. platform-python-debug-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: a6ebfeef38a476d4471da4a5ce56a44e
    SHA-256: b55f9d71a007ce7799b77fde902a9ba116d4327d9b16b3def12cb6092db19a2d
    Size: 2.68 MB
  5. platform-python-devel-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 1105bd99a488b968ac39ad8bcbd551bd
    SHA-256: 9617ef3832dd79d1dbac3cfd6678068013a4d78d9669be2e157eb579de4689f6
    Size: 240.91 kB
  6. platform-python-devel-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: 7d3a64197b2f1c55b810c7adbdda11c8
    SHA-256: 78c7ff3fe649b46e17c592f26c41e5e4d0f48e1dd6cf9e7617cf6523c912a9b3
    Size: 241.14 kB
  7. python3-idle-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 730dcbfa571596220240851b389f05e1
    SHA-256: 7caa20111b48857556fb52da3f8e94fc887f87854954fc5b6694aefa45b071fe
    Size: 829.08 kB
  8. python3-idle-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: 28711153f1a468b2138461f07d21a255
    SHA-256: f35590618da689491f02817684e065925e8f5d9d2b8dbd1541eda0c2df4e5297
    Size: 829.01 kB
  9. python3-libs-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 005f2d451093baf6b0ef37e93eedec20
    SHA-256: 01cd8c36d8141cd66d4fdb127f0691b633dfda4e4b89a6b348195f11d760ce02
    Size: 7.91 MB
  10. python3-libs-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: f82698a084ca28e7dd0351d990e62b78
    SHA-256: d16c0c605d5694e4e85bb532df0e12c6ab35ab37058b0ca48a99f7d5d5ff7d94
    Size: 7.84 MB
  11. python3-test-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 125a7a320e1916d8c119fabe4bb3620f
    SHA-256: 7eb397c7e56c77c9fa8fc07c8b4231b532cd93cc834bd6f825e22ecf06c4877a
    Size: 8.69 MB
  12. python3-test-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: 862c01f969ea08ca42cc5b0bf3aa621a
    SHA-256: ad40092a023f5b6a8efcf2fe8fd3c5237dd2b1e2c882ec5606537cf62be9358e
    Size: 8.70 MB
  13. python3-tkinter-3.6.8-69.el8_10.ML.1.i686.rpm
    MD5: 2e5ec3be293ecd6d25abf82500cbb326
    SHA-256: d8edbfc3778f332ba246dbbe598264eaff254845f489f9739c9c4e084058fd29
    Size: 375.86 kB
  14. python3-tkinter-3.6.8-69.el8_10.ML.1.x86_64.rpm
    MD5: aafe6f435194b4d2301fef766bb6a215
    SHA-256: c6f87b22007700dafb4c67c3937d31a555fa714b2a2363095afa5f94dacd6266
    Size: 374.33 kB