-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmfh1tgFAwAAAAAACgkQCAvK1QvD6SDQ
3A/+JUT8Ro3ZbbM6Mv+SJydKz/DBX7xfUiwm7WHbYZtcc+fck922Mi7U1n6CGLK6rSv3LN1eFXKt
RT8wpsQAnWcs6bp/e2ZjuWYcG5Ajr9iRaZmGr1aqgg3RUEFmlYvu4lh4rllfeNvYLhHFzbcR38c6
7XE4q9IfDaObv8eRBWjCqle8eAkSV5wix1+6pqC6VTXplkiJyrdy0tG8adA6kYlNwyCH18r2lqHC
MG2GTI0QZz25QLIODqaay0BxNz5sudJQoBummBUErTj8HafRHJL8RUCi/hHN6TfahNGvJzB4KG1Z
CEwf5NTRKr1X83FaJLKgLqpFfE0GkVwD0FUPw8/uGfLFsB0I7sAtHPH0JGJ9F+mE7yeyZhTNmosb
nrPm3Z0YWbB1lqI7AAsjOOIqepY+4rWOK0Tzws3pGtc63uJOlN1IsTgUNDEfCS6p7UE66UiqQ5Jz
T1sgkeRY9DU+PZW2kREcI/SkyBhx0m1ZtSgBZ9dljT/9f9rf4hxPDh20vx6cUTikmQ2EoF6r/h7U
eLPrq3fA78uEJ3AgEpoK2slvM5OpbCy46pv4UKNBB+YtRsCa8l0hwvxZ6WctNjMaKg0KfezSH8Zb
od1+c1Z1uOaJr0OS73Qv+H7fLru43vJ8GvgjJvyYlBpBd+/Clmp5cgskWBsl9aNJ8BIbrJ2cXSsr
zxY=
=/BmH
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7348-2
March 24, 2025
python3.5, python3.8 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-7348-1 introduced a regression in Python.
Software Description:
- python3.8: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
Details:
USN-7348-1 fixed vulnerabilities in Python. The update introduced a
regression. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the Python ipaddress module contained incorrect
information about which IP address ranges were considered "private" or
"globally reachable". This could possibly result in applications applying
incorrect security policies. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-4032)
It was discovered that Python incorrectly handled quoting path names when
using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code when
the virtual environment is activated. (CVE-2024-9287)
It was discovered that Python incorrectly handled parsing bracketed hosts.
A remote attacker could possibly use this issue to perform a Server-Side
Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-11168)
It was discovered that Python incorrectly handled parsing domain names
that
included square brackets. A remote attacker could possibly use this issue
to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
python3.8 3.8.10-0ubuntu1~20.04.18
python3.8-minimal 3.8.10-0ubuntu1~20.04.18
python3.8-venv 3.8.10-0ubuntu1~20.04.18
Ubuntu 16.04 LTS
python3.5 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
python3.5-venv 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
python3.5-venv 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7348-2
https://ubuntu.com/security/notices/USN-7348-1
CVE-2025-0938
Package Information:
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.18
No comments:
Post a Comment