python3.11-3.11.9-7.el9

エラータID: AXSA:2024-9265:28

Release date: 
Thursday, December 12, 2024 - 18:34
Subject: 
python3.11-3.11.9-7.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: The zipfile module is vulnerable to zip-bombs leading to denial of service (CVE-2024-0450)
* python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service (CVE-2024-8088)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.5 Release Notes linked from the References section.

CVE-2024-0450
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
CVE-2024-8088
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Solution: 

Update packages.

CVEs: 
CVE-2024-0450
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
CVE-2024-8088
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. python3.11-3.11.9-7.el9.src.rpm
    MD5: 777a8aa6451d417e63f256afc271ef7d
    SHA-256: c736cff3e64cbbb570f410640b58f8229cb9933c909ef20f057463da31b1fb17
    Size: 19.32 MB

Asianux Server 9 for x86_64
  1. python3.11-3.11.9-7.el9.i686.rpm
    MD5: 0b5b91094fe38038eed3d1fa251292e3
    SHA-256: aa10fd1dbb17c0e187e7e0fea24ab5da88ef66b8be9aa668731b4451b870290f
    Size: 26.67 kB
  2. python3.11-3.11.9-7.el9.x86_64.rpm
    MD5: 50e8e62ff20e15369aa0419678066cb1
    SHA-256: 52e9b38406673ab3d264702275830469bbd80292d5355ff465ac796cea70070d
    Size: 26.58 kB
  3. python3.11-debug-3.11.9-7.el9.i686.rpm
    MD5: 4a2e097d4cc1c939ca9b06ddc6d68a58
    SHA-256: 1e34ea6bb5057b5be344cb62b024a24b2b90a036dce38813c792f02688646113
    Size: 3.25 MB
  4. python3.11-debug-3.11.9-7.el9.x86_64.rpm
    MD5: da6e13e5d9323384af31dd1b69828bd9
    SHA-256: f9d877ccda5c9e23faa8115df75b8b423d3edbc90419dbe5270ab671f7502a56
    Size: 3.41 MB
  5. python3.11-devel-3.11.9-7.el9.i686.rpm
    MD5: bcb01a9b74075116b9f2873a1c30e2b3
    SHA-256: 33a04017550e309418edb759cfaa68df68e99c243bb7138ba129b54aa0450f1d
    Size: 281.40 kB
  6. python3.11-devel-3.11.9-7.el9.x86_64.rpm
    MD5: 9585876eb857fdc13bb1a590dc59d9cc
    SHA-256: 78d75aa4f0fbe10cb544147bfa8a3dfed8d70788bd781aa3d2d34f2c843e65ad
    Size: 281.29 kB
  7. python3.11-idle-3.11.9-7.el9.i686.rpm
    MD5: 419d5741574344bb5db2c20e70cc0854
    SHA-256: a60a1bcd5bd2d1437e8e8c585f1ed3113316757a4bfa5d181d774b2367626f20
    Size: 1.09 MB
  8. python3.11-idle-3.11.9-7.el9.x86_64.rpm
    MD5: 6600f136ede8f68f791343111e69a754
    SHA-256: a50516d5897e84502b7a41d02ccc2958ccb6c03b91dd42c12660c1541d1ac186
    Size: 1.09 MB
  9. python3.11-libs-3.11.9-7.el9.i686.rpm
    MD5: c6145b6db17a086b577c410d3677bf0b
    SHA-256: ff0e46ea96bae4b3b82d6644485de302ee215f69d0f42ef9a38b89def2b7d1b2
    Size: 10.22 MB
  10. python3.11-libs-3.11.9-7.el9.x86_64.rpm
    MD5: c0d5d3a8c9de21c8ccabf0770134dd28
    SHA-256: a038a196a3f246f8916ba7cc401758da6ed28704d87a601c433ea3add5ecf181
    Size: 10.17 MB
  11. python3.11-test-3.11.9-7.el9.i686.rpm
    MD5: 076757212420ba33b2b44f04bfc367ab
    SHA-256: 7ffdafd7894f28e17afb5939739a51535e0a2951c8cdf513ba9cbad9d654225f
    Size: 15.31 MB
  12. python3.11-test-3.11.9-7.el9.x86_64.rpm
    MD5: 7b6528fe4313b305ad9a8f9132c8badb
    SHA-256: 93884cba899bd5a544ce33f9ccd335edbe82e69b8a99130af01672acdaf9f6e3
    Size: 15.30 MB
  13. python3.11-tkinter-3.11.9-7.el9.i686.rpm
    MD5: c1a013889d6fc4ef0a7ea572ca6df987
    SHA-256: 4c6ded54c8427ef8fd664893ac60bcbfe5884fdbda8ed646bf83772cd013cad7
    Size: 429.26 kB
  14. python3.11-tkinter-3.11.9-7.el9.x86_64.rpm
    MD5: 3818a822c93747b63cde718630caf6b9
    SHA-256: 6d898a6947eeac964930e30fa94b8b2b271ae9557e26f06552e884aecd9d46a5
    Size: 427.73 kB