python3.12-3.12.8-1.el8_10
エラータID: AXSA:2024-9392:15
リリース日:
2024/12/16 Monday - 18:03
題名:
python3.12-3.12.8-1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の
asyncio._SelectorSocketTransport.writelines() メソッド
には、書き込み用のバッファーの残容量が少なくなった際の
フラッシュ処理が欠落しているため、リモートの攻撃者に
より、細工された Python アプリケーションの実行を介して、
サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性が存在
します。(CVE-2024-12254)
- CPython の venv モジュールおよびコンソールには、仮想
環境の作成時に指定するパス名に引用符を付加しない問題が
あるため、ローカルの攻撃者により、細工された仮想環境の
アクティベーションスクリプトの実行を介して、任意の
コマンドの実行を可能とする脆弱性が存在します。
(CVE-2024-9287)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-12254
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
CVE-2024-9287
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
追加情報:
N/A
ダウンロード:
SRPMS
- python3.12-3.12.8-1.el8_10.src.rpm
MD5: 47aea4623cd4e5da895371da4d30778b
SHA-256: 42451bd5be280b054506e748a3ffbdd3d1be397081b99ddb5bb47a4ae92fec66
Size: 19.61 MB
Asianux Server 8 for x86_64
- python3.12-3.12.8-1.el8_10.i686.rpm
MD5: eb80214a8e59cb1cb979e377d491da40
SHA-256: 0fc3d811f782b1ed1da5541a4e5d0aa732a1bf40e8627d9783b1c9dc3fbfe96c
Size: 29.60 kB - python3.12-3.12.8-1.el8_10.x86_64.rpm
MD5: ca9a30c7942b0f598f4ec02a16ac7100
SHA-256: 011a6584093b6245951a13c6921f5e6f695278d296a713b4a04a579621a06295
Size: 29.51 kB - python3.12-debug-3.12.8-1.el8_10.i686.rpm
MD5: fcf2035761a096aac36d3b643adb7708
SHA-256: e7539d9920b8155f1e260fc82af1a9c6d2c39f315feac98d74cb60cbee72716d
Size: 3.49 MB - python3.12-debug-3.12.8-1.el8_10.x86_64.rpm
MD5: 6ec01ebc3934af4707a8be28ae8361e5
SHA-256: a70e1e8f74ef05bb9c897d05e0624460805d6eaf44bd379a3c799d9f67170308
Size: 3.68 MB - python3.12-devel-3.12.8-1.el8_10.i686.rpm
MD5: 30e341ef80433b5c680fe18a9381a797
SHA-256: f4e9e0f74e2af7db047788b2e30c047e67fe62be8fbd525b0cf8915a53ffbbca
Size: 290.05 kB - python3.12-devel-3.12.8-1.el8_10.x86_64.rpm
MD5: e743d3272aee605dacf9e79f3e10da9e
SHA-256: d2a73df09e88ab638a12659f02a4fb4f2484a038c0ebad8e3ac09c8e9c7a6b31
Size: 289.95 kB - python3.12-idle-3.12.8-1.el8_10.i686.rpm
MD5: 533c135c6eef05350ed0b69749625fee
SHA-256: 91769d232030efc5283526256ae2d697d1b7bea45f6febf6cf9435c672edd46c
Size: 1.29 MB - python3.12-idle-3.12.8-1.el8_10.x86_64.rpm
MD5: c6caec9b8f84a9238c3442fca43ed72c
SHA-256: afb0c58c9cb726022794d910611ae3e2fdd092df3b84ac2133eaee9ae5548093
Size: 1.29 MB - python3.12-libs-3.12.8-1.el8_10.i686.rpm
MD5: 5fe089c386b7a842aed3ad31f90805ff
SHA-256: 62b9e7c74e75f46c74571943a2bd096a3adfa257a9ff5f703a3e2ac26543fefd
Size: 10.08 MB - python3.12-libs-3.12.8-1.el8_10.x86_64.rpm
MD5: 7fb95cdb580f991f324c6279dc5760aa
SHA-256: 7a7452b9d6a67bd332c65a8eba719d2f440166a8a125fc7584def834749ec3b2
Size: 9.99 MB - python3.12-rpm-macros-3.12.8-1.el8_10.noarch.rpm
MD5: a64a815ce522ebadd840b97f5e9b1675
SHA-256: 20bb31257621231bb222e7590855913a948db6feb1fa15747a1ca1f08e49d4fe
Size: 15.94 kB - python3.12-test-3.12.8-1.el8_10.i686.rpm
MD5: 0e07b8e631452081a2249311fae15ffa
SHA-256: e4a490846b5825d5daef4e22161bdc2cd5a48ba9ee823d138a552611a8275647
Size: 15.92 MB - python3.12-test-3.12.8-1.el8_10.x86_64.rpm
MD5: 5bd04cad28c70a459ef3e1fd7e4e30f6
SHA-256: a4dea7ee1c70d3a2e745302a96f7d085930a3fcabe77537aa53b54512de49db4
Size: 15.91 MB - python3.12-tkinter-3.12.8-1.el8_10.i686.rpm
MD5: 581d28a735a0f2d9e17096708982f15a
SHA-256: ef8f53b1839af0540e7a27dfc95fc5d965459a6735d8a729f549baa6907bb3e2
Size: 402.18 kB - python3.12-tkinter-3.12.8-1.el8_10.x86_64.rpm
MD5: f18b1c753e4124808cf502ae491dc58c
SHA-256: 417a35cecb209845ebe48fe9cebc3727812d8e3025216754f1f8ee1e1fe74d69
Size: 400.93 kB
English