python3-3.6.8-51.el8.2.ML.1
エラータID: AXSA:2023-6551:06
リリース日:
2023/10/30 Monday - 00:22
題名:
python3-3.6.8-51.el8.2.ML.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の ssl.SSLSocket のインスタンスには、送信された暗号化
されていないデータを TLS で暗号化されたデータとして取り扱って
しまう問題があるため、リモートの攻撃者により、TLS 認証のために
作成されたソケットをハンドシェイクの開始前に閉じてしまうことを
介して、不正なリソースの変更および削除を可能とする脆弱性が存在
します。(CVE-2023-40217)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
追加情報:
N/A
ダウンロード:
SRPMS
- python3-3.6.8-51.el8.2.ML.1.src.rpm
MD5: 03459f0e75d57113a6521caa436eaf32
SHA-256: c417e31e891681a95e64db1816f0c1fc1fa46440e01b30a2473048345c686813
Size: 18.26 MB
Asianux Server 8 for x86_64
- platform-python-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: 68a70a2ebe7adef82578fe55e5f2a54c
SHA-256: ebb904f1b4df28b74d393969bf346f82ef3eb6f6827a955b2236e662401bd727
Size: 85.71 kB - platform-python-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 7de53a09811b8f24550e7462966aa9ff
SHA-256: 810395668893d1ccbd775921cea2cdd17ece574f32ad38596407dddd318a8be9
Size: 85.78 kB - platform-python-debug-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: 06117dcf6c770ad1080e1732151c4dac
SHA-256: bee9d754f5e935675e7074d214da15e544e7aa25679b2f51f869a206ef87d7c3
Size: 2.72 MB - platform-python-debug-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 2da0ea8d75ce030703b23c73e9dfadc2
SHA-256: 7c52b86e638ce8c29d405fa9f7822ff2bc64a546567b66117178a6e3c9870fdf
Size: 2.68 MB - platform-python-devel-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: bf5225108973b6ae9ac918028b0b7f20
SHA-256: 0ad51ce25de14b21f235a1051f3928a944a12cec32ce8d3b9ca497e24a5447dd
Size: 239.05 kB - platform-python-devel-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 1840b5b9e437fe15f3672d7ef261c1d4
SHA-256: d44a0fde96f2e59c34f8220aaf233168389e0df5c8e1898e508cb38ff87f9485
Size: 239.30 kB - python3-idle-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: 9c07d5a67a5d3755a99c64b112d42662
SHA-256: e9d00af8ab78abacace2b3d300303b45c63b7283ff7a45ae536577e7341f93d7
Size: 827.17 kB - python3-idle-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 70fc4ee175b75b63d4600f6aa0fe42f9
SHA-256: eb9c0bbdf64ed19e88376391c9c7c5f5ebfae4da84bc9044f71165c7275dcf58
Size: 827.21 kB - python3-libs-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: d4c6448d66e89e8141c61541b27a2266
SHA-256: b91a58629363d73d12267dff25316ccf4fe0e53b4918513c7a124d8d6b0c667e
Size: 7.89 MB - python3-libs-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 89aca501f70201883e8aa93db89557e3
SHA-256: 563cffe1417d7f286acbd91d18aaaf7ec9901b4d7fff5bf47025403c4309838f
Size: 7.82 MB - python3-test-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: 870c5e255be7d88f7ada7e3e8b2921fe
SHA-256: eb1afdf942deaf4e0d6dfbd76db02e9192628ed4fa07f588dc2ca2d12a4d53d4
Size: 8.66 MB - python3-test-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 38ffbd8d1846b5799b97270db05fd4af
SHA-256: 980f8701a5e9c42dc1609f64e8145c2377f943185b411fc5bc6f45c8b9841e66
Size: 8.65 MB - python3-tkinter-3.6.8-51.el8.2.ML.1.i686.rpm
MD5: 6ad7cfd01362322258890de45ca8d996
SHA-256: ce674a909dbf9c9c3a3431f80077a43e55f1ce27d8833bfa60bc29b2200baa1b
Size: 373.99 kB - python3-tkinter-3.6.8-51.el8.2.ML.1.x86_64.rpm
MD5: 2f3f38e38a5139546187d5a020dd6a65
SHA-256: 9f5409065bc061a1fb896b82b8bded8539d9c2f2174a15e898c4aac4ac00efbd
Size: 372.55 kB
English