python3.12-3.12.5-2.el9
エラータID: AXSA:2024-9268:11
リリース日:
2024/12/12 Thursday - 18:40
題名:
python3.12-3.12.5-2.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- CPython の zipfile モジュールには、クォート記号で
括られた ZIP 爆弾ファイルの展開を許容してしまう問題
があるため、ローカルの攻撃者により、細工された ZIP
形式のファイルの処理を介して、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2024-0450)
- Python の ipaddress モジュールには、特定の IPv4
および IPv6 アドレスがプライベートアドレスかどうかに
関する誤った情報が設定されていること起因して、IANA
特殊用途アドレスレジストリからの最新情報に沿った値が
返されない問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-4032)
- CPython の zipfile モジュールの zipfile.ZipFile
内の各メソッドには、アーカイブ内のエントリの反復処理
において無限ループの発生に至る問題があるため、リモート
の攻撃者により、細工された ZIP 形式のアーカイブファイル
の読み取りを介して、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2024-8088)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-0450
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
CVE-2024-4032
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.
CVE-2024-8088
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
追加情報:
N/A
ダウンロード:
SRPMS
- python3.12-3.12.5-2.el9.src.rpm
MD5: 2dc78d11c6ad02e5e2af2f59abd5657c
SHA-256: d8aef9f57e40ab738549fd02bfa12ad67a70cd7e4f44fcf5f48a12a6572ca97f
Size: 19.55 MB
Asianux Server 9 for x86_64
- python3.12-3.12.5-2.el9.i686.rpm
MD5: 65bd825c1006e647614abb72b084a4b5
SHA-256: 82439dc7e4eae76ab3f60ed616b30b3b771fe9605c57fd254f13af546c6f0dfd
Size: 26.12 kB - python3.12-3.12.5-2.el9.x86_64.rpm
MD5: 6625b718a8ec6ba813f6b18c9384824a
SHA-256: 4006c49ef6f67e83adf25ca8068c90ae1c123300b14927d15bb1a86181346503
Size: 26.04 kB - python3.12-debug-3.12.5-2.el9.i686.rpm
MD5: 60def98660187817cdefbbd6506a9003
SHA-256: 2560fbf7294b47e3e39ebb1d432ee38070134d60ca945aa3192557e571b66529
Size: 3.53 MB - python3.12-debug-3.12.5-2.el9.x86_64.rpm
MD5: 5c3a2d36ce7b00f7d6398308d66b747f
SHA-256: eca7b772030e518ce074c0390deb4d92a857d6266a6d1c5260715efd74dee3cb
Size: 3.70 MB - python3.12-devel-3.12.5-2.el9.i686.rpm
MD5: 7c615f5562395608b8dcf504472e7600
SHA-256: e07539de9a1aed4ae2ed8783bda369786d89e169b800c2aee9cfe6b8953c944b
Size: 326.77 kB - python3.12-devel-3.12.5-2.el9.x86_64.rpm
MD5: 673939cb947341cdbb299f9c7d26d7bb
SHA-256: a9fd26c913f4aacf2204e35f27d26ff152e6b5e8258271b72e932515b14da6f1
Size: 326.75 kB - python3.12-idle-3.12.5-2.el9.i686.rpm
MD5: 9dc91ae3f9999aadcc0ee7506fe57384
SHA-256: d1be85b163cb75810427fcf13c761c256d5f659549fd5f49e8bf03428ca6291a
Size: 1.07 MB - python3.12-idle-3.12.5-2.el9.x86_64.rpm
MD5: f146b552cfc785aae8a88723674579fa
SHA-256: 436d4fe3dee63a19d233970bd66079e3c6eeaaf57a8925095469346c9733e353
Size: 1.07 MB - python3.12-libs-3.12.5-2.el9.i686.rpm
MD5: 525474e6b574f10e0b2f945ced150316
SHA-256: ec6fc1de9e29c5e34cb905bda4527eeb0eeb34a74454ff7e7e1cb02b7b0986c3
Size: 9.71 MB - python3.12-libs-3.12.5-2.el9.x86_64.rpm
MD5: 00eaeb389073f2169ae3ce4f5abe0a26
SHA-256: e9633230f0f41bfa62a2cd8a03b521fa07c6b43c8e217079994626a436a4026b
Size: 9.67 MB - python3.12-test-3.12.5-2.el9.i686.rpm
MD5: 0f1f6016008d895583de4fbc4651b770
SHA-256: 6633ff34382351052389a10ed9d3d1ccbb61dd06135a801ccca425d1d6884489
Size: 15.55 MB - python3.12-test-3.12.5-2.el9.x86_64.rpm
MD5: 4fe1c2107a9d198fc27a46f2e8eaa526
SHA-256: b62573eae928d5d434edd6e56402606a4e2bcc520eb64fc45213371ecd54405f
Size: 15.54 MB - python3.12-tkinter-3.12.5-2.el9.i686.rpm
MD5: f061273fa8ccee271527f7c380d72473
SHA-256: 2e5d4f58bf97f2c60ef78c2f81732b4064bd3ea29db357e0251290012f8c7b56
Size: 421.76 kB - python3.12-tkinter-3.12.5-2.el9.x86_64.rpm
MD5: 2645b3d523f092d6beedc95701e80e05
SHA-256: 7eab6a01b3ddd634cc1f36b704db00675c48a414c405ec4b7e6fd6a0bb7d7a54
Size: 420.20 kB