python3.9-3.9.16-1.el9.2
エラータID: AXSA:2023-6477:04
リリース日:
2023/10/09 Monday - 13:43
題名:
python3.9-3.9.16-1.el9.2
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の ssl.SSLSocket のインスタンスには、送信された暗号化
されていないデータを TLS で暗号化されたデータとして取り扱って
しまう問題があるため、リモートの攻撃者により、TLS 認証のため
に作成されたソケットをハンドシェイクの開始前に閉じてしまうこと
を介して、不正なリソースの変更および削除を可能とする脆弱性が
存在します。(CVE-2023-40217)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
追加情報:
N/A
ダウンロード:
SRPMS
- python3.9-3.9.16-1.el9.2.src.rpm
MD5: 2be18d77b163598172e01d4e591cc95a
SHA-256: e9adc8226761c37d9265cebd57f7089fe091a627b80b1f3d93b8d674a4c9de13
Size: 19.42 MB
Asianux Server 9 for x86_64
- python3-3.9.16-1.el9.2.i686.rpm
MD5: daba3e45351a6608e74de8b8927a77f8
SHA-256: 4769223f11f1a2c9844c61b2b938db09c7158403d4e98e36411c83530c2742f3
Size: 25.00 kB - python3-3.9.16-1.el9.2.x86_64.rpm
MD5: f33a2d743631226a2583806829b478f7
SHA-256: 37a1b80db7733196f86484208f53718f895c5cc4a5e5828a8245ebbb6883fa2a
Size: 24.93 kB - python3-debug-3.9.16-1.el9.2.i686.rpm
MD5: 9a5b6ff31b7ab910dba877d2c9c8b718
SHA-256: 8771f41d38cb5bce5862ac2075744de89d62ab45bb9934385318afa9461ffae0
Size: 2.82 MB - python3-debug-3.9.16-1.el9.2.x86_64.rpm
MD5: 0aef554d3fe5447d0ea148d8c9b8191e
SHA-256: df923c262fcf6ce212736efc42b826607920e8802f739d3644e70b1205a087f1
Size: 2.98 MB - python3-devel-3.9.16-1.el9.2.i686.rpm
MD5: 76103f635da3abad928c3a3d16ebeb34
SHA-256: 6e61d6a8d682d354130cee42f804897f716b6457e2e6dac640cbfc1fa007be1a
Size: 204.48 kB - python3-devel-3.9.16-1.el9.2.x86_64.rpm
MD5: d0b7145b6de17c36039327d66d9d2d7f
SHA-256: dd9e45b8972d9aa23e38bd5ff09932a8b8c2217dd772ce7045c065f3a737d77a
Size: 204.43 kB - python3-idle-3.9.16-1.el9.2.i686.rpm
MD5: 6a21063632b4f33f49642b4b477ffe89
SHA-256: 58bfa62c0f01e61153bd346ba0aac991b0000d100f5d843526f38c86c3f48c3e
Size: 769.40 kB - python3-idle-3.9.16-1.el9.2.x86_64.rpm
MD5: ea76bf152642e9320c6cfab17bcff13a
SHA-256: b5ee66a1e8efe5a496b28fa5d7e7a4108c4517dace87208aebfab0670e29c649
Size: 769.40 kB - python3-libs-3.9.16-1.el9.2.i686.rpm
MD5: 96dfabe6edfa731623d2813036190e9c
SHA-256: 197351e8cc68ade8bff289888cd6ffaf8c691cf4a868d1a06c4dcbdd95ad27a0
Size: 7.36 MB - python3-libs-3.9.16-1.el9.2.x86_64.rpm
MD5: d754d2e6945252a09708f34fd2cc6437
SHA-256: ead6e3faeaef296c4491c52aa19f6ec99669ff8f5f1f0838c26842a75409af73
Size: 7.28 MB - python3-test-3.9.16-1.el9.2.i686.rpm
MD5: 739e25234a54938a5f8c470b74d37015
SHA-256: 648ca7f12b53aac55a2b8d19f2544728cb4d0f9798e741e9fe4a26513c8e2e59
Size: 9.27 MB - python3-test-3.9.16-1.el9.2.x86_64.rpm
MD5: 400e6700c4827f248a430aa64e56d291
SHA-256: ecbff042eecfac958ab1832625c6fc5a251ac432850be2c53a827fa0614b399b
Size: 9.26 MB - python3-tkinter-3.9.16-1.el9.2.i686.rpm
MD5: 6e1e9e92ae712ed96a737c5e1f19e520
SHA-256: 5a5b0c02593db65ad2cff5af5dbca9328ca5e8415fdce0fd7d417874bfaa8950
Size: 309.39 kB - python3-tkinter-3.9.16-1.el9.2.x86_64.rpm
MD5: 1d704b465a12f776e8c59ee44086fa5b
SHA-256: 3414e153f102bad822972da539e55547a204bcfbbea1c68eccf09c58169da645
Size: 307.82 kB - python-unversioned-command-3.9.16-1.el9.2.noarch.rpm
MD5: 17b9ea73d2e4614310915ab6783ecf0f
SHA-256: 2983705184615d770024295cbafe017d3d031cb0a82d95f2b30dd4a22b87d22f
Size: 8.53 kB