python3-3.6.8-21.el7
エラータID: AXSA:2023-6570:07
リリース日:
2023/11/09 Thursday - 06:54
題名:
python3-3.6.8-21.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の ssl.SSLSocket のインスタンスには、送信された暗号化されて
いないデータを TLS で暗号化されたデータとして取り扱ってしまう問題が
あるため、リモートの攻撃者により、TLS 認証のために作成されたソケット
をハンドシェイクの開始前に閉じてしまうことを介して、不正なリソース
の変更および削除を可能とする脆弱性が存在します。(CVE-2023-40217)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
追加情報:
N/A
ダウンロード:
SRPMS
- python3-3.6.8-21.el7.src.rpm
MD5: d0f28e745206e7b4f54f97aa8f89ccb9
SHA-256: aeeb58cc4379e08ebe23c947f9b641ba480367326a6d83b1b0cee8c6970f71ff
Size: 16.62 MB
Asianux Server 7 for x86_64
- python3-3.6.8-21.el7.i686.rpm
MD5: f4d03ad0d34ecef6d13524c66d1b1dec
SHA-256: 3fac3272cf0728364f845889c635fe6fbc4967f532d91b625a99bcf536cdcc9c
Size: 69.72 kB - python3-3.6.8-21.el7.x86_64.rpm
MD5: ffaeb63af561a3ead2f2e8866f86ad9e
SHA-256: 1f115ac46cd96001cc510c86c3010c33896b8693a0460c877521f4607951963e
Size: 69.65 kB - python3-debug-3.6.8-21.el7.i686.rpm
MD5: bf8a4bbc81ec5f6fe2f670ad6e103a15
SHA-256: 6d44a8ce496f94afd06b04be0fdc8e07cc374665bfbf9c0bc6ce4ee3c7180693
Size: 2.42 MB - python3-debug-3.6.8-21.el7.x86_64.rpm
MD5: 99ad10ff727b160f49ea6c055936a08c
SHA-256: e5025b327dd4034e6162a4c5b965bfffdcd3d1e1324c83acc35324eae37d7bc1
Size: 2.64 MB - python3-devel-3.6.8-21.el7.i686.rpm
MD5: 04251206c24da733ab1d4618cf79ad2d
SHA-256: 0876342412322e44cdf4b970498c628178062e0d37fb0e52a5750a1a033610bc
Size: 216.49 kB - python3-devel-3.6.8-21.el7.x86_64.rpm
MD5: 24d93d74b7bd5e53b5a04af159b3f010
SHA-256: 3af21f8deef84cd862ae40eec9422bbdd8eb88605ff8a5d82560a376acfde679
Size: 216.30 kB - python3-idle-3.6.8-21.el7.i686.rpm
MD5: 417ee7b7f27bf6d7eea9ac0c55b9c608
SHA-256: 5ddbb2648722d9570f8aa9471b5955b2f2357203fdcbc2de3c713c5d5b0dee12
Size: 778.73 kB - python3-idle-3.6.8-21.el7.x86_64.rpm
MD5: 35d1bb93286913b5e8543191d08f2c9e
SHA-256: 24b429f697d09d2bf8eacaeff7e4b8a5201abe1759cf54137ff7c829a712bd34
Size: 778.69 kB - python3-libs-3.6.8-21.el7.i686.rpm
MD5: 3c38f2e9219a34a329acc7a01f6c3f8a
SHA-256: cf675b1a3d4f56779bdfa09fda7edcdeb07eabae12c6a57eb1293b3004b27939
Size: 6.85 MB - python3-libs-3.6.8-21.el7.x86_64.rpm
MD5: 1c4ccca7f5b565d14fb10f46e032256e
SHA-256: 3b5c3400757f93b0dc563258cfb06b2463877ef4a19d156e5afd537f5c04f262
Size: 6.95 MB - python3-test-3.6.8-21.el7.i686.rpm
MD5: e443628915e1a4d5e1dd4161d1dd7936
SHA-256: 44af1b66bc0090d29f023b6ef6f437976ebede00a1e4066dadb3b29c15685507
Size: 7.25 MB - python3-test-3.6.8-21.el7.x86_64.rpm
MD5: 6017362a9aba66896e435122fa880059
SHA-256: d506323cb6a4e066632c0186ed8c2c0e8aae37f47af6ef4923b370337740f43e
Size: 7.25 MB - python3-tkinter-3.6.8-21.el7.i686.rpm
MD5: a0d27274c8e5b9323d6a009cdcfe33bb
SHA-256: bb554f9adbbdf6962cc10b2d30243abf2bbada4ca79898b71942982be1aebe5a
Size: 365.09 kB - python3-tkinter-3.6.8-21.el7.x86_64.rpm
MD5: 72f5b3ca27496cf5c5168b7d9ef6b96d
SHA-256: e6794a0f36b8346c9ece4b53a3e60da73b8cabc0ca817abd0240949a5b492501
Size: 365.05 kB