python3.12-3.12.5-2.el9_5.2
エラータID: AXSA:2024-9442:17
リリース日:
2024/12/20 Friday - 12:48
題名:
python3.12-3.12.5-2.el9_5.2
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の
asyncio._SelectorSocketTransport.writelines() メソッド
には、書き込み用のバッファーの残容量が少なくなった際の
フラッシュ処理が欠落しているため、リモートの攻撃者により、
細工された Python アプリケーションの実行を介して、
サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性が存在
します。(CVE-2024-12254)
- CPython の venv モジュールおよびコンソールには、仮想
環境の作成時に指定するパス名に引用符を付加しない問題が
あるため、ローカルの攻撃者により、細工された仮想環境の
アクティベーションスクリプトの実行を介して、任意の
コマンドの実行を可能とする脆弱性が存在します。
(CVE-2024-9287)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-12254
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
CVE-2024-9287
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
追加情報:
N/A
ダウンロード:
SRPMS
- python3.12-3.12.5-2.el9_5.2.src.rpm
MD5: 9919cde8c2a52ca6c25581c939f44ebe
SHA-256: df4d4aa53fece6a12194e7b8404a5f20b2f7e73cf05e16348831aeb6c00887b2
Size: 19.55 MB
Asianux Server 9 for x86_64
- python3.12-3.12.5-2.el9_5.2.i686.rpm
MD5: dd150c62d50fa8b821c8a3b0300acaf7
SHA-256: 81af260dd5d85d376656227b1f61002a9ec82639ecf5aa1391b720620ccec4be
Size: 26.53 kB - python3.12-3.12.5-2.el9_5.2.x86_64.rpm
MD5: a3e94f15af4bb623f639a58a53bdabb0
SHA-256: f7c3050ae2bf9ba040ec9c7dbfec53be2872f5cebbff7210c3af3dadd701dcbb
Size: 26.44 kB - python3.12-debug-3.12.5-2.el9_5.2.i686.rpm
MD5: 0da7045a853e2cae7fe67bf1a3f8f933
SHA-256: deece1790da9c3b4be4586316453b061545b414c2f03f4fd767c5c2e5d72c2f1
Size: 3.53 MB - python3.12-debug-3.12.5-2.el9_5.2.x86_64.rpm
MD5: 1fa87c58b940a74226f64e59a883f75c
SHA-256: d0aa31f6c50fb1ae87de63f1992a3e744806ec822f30dc8c5fb9ae4e621d19de
Size: 3.70 MB - python3.12-devel-3.12.5-2.el9_5.2.i686.rpm
MD5: ba30851f3285a9c2a61362c26d19e79f
SHA-256: 75d1d3628ca57b94fae613d2b106a74a8dbbb86942ef8ab64b8d55720a9f2140
Size: 327.20 kB - python3.12-devel-3.12.5-2.el9_5.2.x86_64.rpm
MD5: c15b428234b0028dda83c8e90485ca78
SHA-256: 73f95063920ba4716b456913c162a09c5d1dbef1b8fd134fe0a88f4482f201a8
Size: 327.18 kB - python3.12-idle-3.12.5-2.el9_5.2.i686.rpm
MD5: e044c898faa17e61ae5b21e8dc5cde20
SHA-256: 51c537c60d18baea142b400bbc0edfec89adf9dee7fec288083fe13136943873
Size: 1.07 MB - python3.12-idle-3.12.5-2.el9_5.2.x86_64.rpm
MD5: cecf4447ec09fc3ca4785030bc6af95c
SHA-256: be7d3a109be659dd644874e94fcf583725050b876cc36b51cbdd334a460cf69d
Size: 1.07 MB - python3.12-libs-3.12.5-2.el9_5.2.i686.rpm
MD5: cb3777b67a804f1370c83ef9d014a98a
SHA-256: 387c7a189a54db5b651c9538d4305250814f107928d7ac82fc1727ca8b2b74de
Size: 9.71 MB - python3.12-libs-3.12.5-2.el9_5.2.x86_64.rpm
MD5: 57ed8467255b7044f865dacfda1ffc81
SHA-256: ba6100c6b27cc834ae86a715ec748dc61b75caed30dbed5a53b2d23d3241b136
Size: 9.67 MB - python3.12-test-3.12.5-2.el9_5.2.i686.rpm
MD5: 95a39c3099d8eeb34b3d89f45a4df08e
SHA-256: 91ed985c0b4d5a22f38f91e9185cbd4f1ceef2e63760f1e0deec53d894bd8c03
Size: 15.55 MB - python3.12-test-3.12.5-2.el9_5.2.x86_64.rpm
MD5: 87a17857f3494178303dbcb0011a3b60
SHA-256: 8f556670cd6415703b5120643a3e6f4f4aabbe88c0e768d6993967452cf97c00
Size: 15.54 MB - python3.12-tkinter-3.12.5-2.el9_5.2.i686.rpm
MD5: e033d3426355f0db3e60bd5a206f7799
SHA-256: 30e9017e2e704f5aaf8058fddbb07ab736e709fdccf492044e929120bffcebbd
Size: 421.99 kB - python3.12-tkinter-3.12.5-2.el9_5.2.x86_64.rpm
MD5: 037f81d3b061cd95808c32aecb38a12e
SHA-256: 6e1ab1c475ffc4491f996f1cc5d021c15a305421d510df8583897361ac9e8c16
Size: 420.62 kB
English