python3.11-3.11.2-2.el9.2
エラータID: AXSA:2023-6478:03
リリース日:
2023/10/11 Wednesday - 01:37
題名:
python3.11-3.11.2-2.el9.2
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の ssl.SSLSocket のインスタンスには、送信された暗号化
されていないデータを TLS で暗号化されたデータとして取り扱って
しまう問題があるため、リモートの攻撃者により、TLS 認証のため
に作成されたソケットをハンドシェイクの開始前に閉じてしまうこと
を介して、不正なリソースの変更および削除を可能とする脆弱性が
存在します。(CVE-2023-40217)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
追加情報:
N/A
ダウンロード:
SRPMS
- python3.11-3.11.2-2.el9.2.src.rpm
MD5: bc5b8fa0b6a1fbd5477afb24512af450
SHA-256: ecf61eb7465d6d723dc20481808628f3681d851538835695414f3fca81d07cc1
Size: 19.04 MB
Asianux Server 9 for x86_64
- python3.11-3.11.2-2.el9.2.i686.rpm
MD5: a7b4531f7bb1da898f4e37dd5e663db0
SHA-256: 8a6a04fdc96b752bd1e5e086f0c356591f92dbc462b6fe9d3cd0c249d0662bc6
Size: 25.59 kB - python3.11-3.11.2-2.el9.2.x86_64.rpm
MD5: 0045bbfecd4a7baeea35cf5ce09c50bb
SHA-256: a7a3c8a4b9b77f652ffa6f276188831ca82309da3492809989573f9e505a34d3
Size: 25.50 kB - python3.11-debug-3.11.2-2.el9.2.i686.rpm
MD5: a29786e43eb7528365656abe72454e0a
SHA-256: 2e4994afa496c75d5424fe1deda90cd803ad4bad9666351358be8fea059248b1
Size: 3.18 MB - python3.11-debug-3.11.2-2.el9.2.x86_64.rpm
MD5: fe9655bcc0a1908b2e7f81d15c6015f5
SHA-256: 9ba80ef664e697f0659252777417a4bbab13011da8adec395e61886b260355d1
Size: 3.33 MB - python3.11-devel-3.11.2-2.el9.2.i686.rpm
MD5: 0d1eccfb26b44bcea6b033d46791e8ea
SHA-256: 74fc775be98b743b54909bc339aff9354fcd4b3908f9ceac1b90de498ca6d585
Size: 232.10 kB - python3.11-devel-3.11.2-2.el9.2.x86_64.rpm
MD5: 278ce62805b88eeee697b5fc861d28bf
SHA-256: 4cef3c11dc169066bd93c8dfaf5febb2ce983eb9298a2d3ffe0c0abe9a271c11
Size: 232.07 kB - python3.11-idle-3.11.2-2.el9.2.i686.rpm
MD5: bd16f248f8bbda76521c821f2b0d293b
SHA-256: ff9c729d8149f3de256a119cdf5099d8ba20bc0eaec73dbc4b0b399dfb0dffb5
Size: 0.96 MB - python3.11-idle-3.11.2-2.el9.2.x86_64.rpm
MD5: 93fd91777c90e0df7a94fd40bd5050f8
SHA-256: f6917b9078b31a9852e81b9964149ac94e20d512d5426ab45f952ec777fe9ab5
Size: 0.96 MB - python3.11-libs-3.11.2-2.el9.2.i686.rpm
MD5: 485f1b0d547cfe40e7adef21080cb22a
SHA-256: c59ba4de9f22951763ff5e98e034d113da8a5e17ca8bb5e4107c8653c01cceb6
Size: 9.35 MB - python3.11-libs-3.11.2-2.el9.2.x86_64.rpm
MD5: 1a26a4caacca25781c45fa98cdde8781
SHA-256: 68153bbbd181777084e93b259ccd779ddbacc3d6dcb6e0559ea91b756a5f9ecc
Size: 9.30 MB - python3.11-test-3.11.2-2.el9.2.i686.rpm
MD5: 9a1a0e5d242108d2ec19542c910e5976
SHA-256: 6b5205cb4c5ddbff9baadcb0e63a2d526598b8b15cda2c4f6760706b579e6495
Size: 13.64 MB - python3.11-test-3.11.2-2.el9.2.x86_64.rpm
MD5: b0666da75193767bffe3fd7f52df15c4
SHA-256: 929211b6ca2d8018b4c7c7513f581808cc29965ced0d68f366e577cd65655896
Size: 13.63 MB - python3.11-tkinter-3.11.2-2.el9.2.i686.rpm
MD5: 2364cda7e7753610266cc620b9a42c48
SHA-256: 103e24673738403e3d5309784c7951640f461d5dcbc655693b50431fe280cdce
Size: 393.38 kB - python3.11-tkinter-3.11.2-2.el9.2.x86_64.rpm
MD5: e0502c4f420509cd56eed093b377beb5
SHA-256: f9b7550ce959d3c757cb1746abaa8f4893e7f5b5a6c3beb40fa8a03f3e10b035
Size: 391.60 kB