-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmgaa5kFAwAAAAAACgkQ8pSCVQZYHyhi
tRAAjHTs9zhl7j8ikXds0w83C/MxUPmSkRdaGEGrVb/1Oa0UAXBG9La4/pSiwIKFvLJvfkszTniZ
TzBf0St1hpJlnkc9SUj9kvaTsG/+iQbCCDBYt++LFk5abBCgsutY8LThHZrNlmQHvzcA3Xk0gdiw
+dywbU+b43lZIZ+tOPhqKWzoo5TSbUnKcEha5ZN2mJo3LvdxBz1taJMZw24Qx2fFOSwM0BfJIin8
SnexzReIgDcW6uaHafFpbBF3v+CdEN9YqA+fJVcaFgFcYmiOp8iRDNgU77TWfzrWQA1FaHNTpkOn
E/diJGdxQD/IaJrlj0+IW6YgdVEqZ9Q3iKN1AsAnOUcEJyrhiW1HqWHjKlg5GSG4EtM0UGsrJbvJ
UuXdGvk2299E1aR94gtvDJvm4Td70sQ5SlnfHjQG2TVgPecRC4wWK67NagPVTq3Y+rpRfU8LwQiR
iQnjvxbxEW55SAlEif1rfd5Pa5Y/Er/nbR3NeMkBC0/DNy0xDMf5EZzwsFKOf5pcG6naN6NOBi92
/R0EuEAwH1qpoGxX7zyBXTjRLNJDZ9T4VYfU3fsxNMK83vYUM6vldu3o7nKarICfb96pdhRfiK9p
nkLtg1G/F/imvAq/cdA62S9Hl8oO35FVOg0NS0KpSTfBKEZcxaZlJICkKrJE639ysARUaGPFIgfp
wxc=
=mZ6A
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7488-1
May 06, 2025
python vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python3.13: An interactive high-level object-oriented language
- python2.7: An interactive high-level object-oriented language
- python3.11: An interactive high-level object-oriented language
- python3.9: An interactive high-level object-oriented language
- python3.6: An interactive high-level object-oriented language
- python3.7: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
Details:
It was discovered that Python incorrectly handled parsing bracketed hosts.
A remote attacker could possibly use this issue to perform a Server-Side
Request Forgery (SSRF) attack. This issue only affected python 2.7 and
python3.4 on Ubuntu 14.04 LTS; python2.7 on Ubuntu 16.04 LTS;
python2.7, python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS;
python2.7 and python3.9 on Ubuntu 20.04 LTS; and python2.7 and
python3.11 on Ubuntu 22.04 LTS. (CVE-2024-11168)
It was discovered that Python allowed excessive backtracking while
parsing certain tarfile headers. A remote attacker could possibly use
this issue to cause Python to consume excessive resources, leading to
a denial of service. This issue only affected python3.4 on
Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8 on
Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; and python3.11 on
Ubuntu 22.04 LTS. (CVE-2024-6232)
It was discovered that Python incorrectly handled quoted path names
when using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code
when the virtual environment is activated. This issue only affected
python3.4 on Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8
on Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; python3.11 on
Ubuntu 22.04 LTS; and python3.13 on Ubuntu 24.10. (CVE-2024-9287)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3.13 3.13.0-1ubuntu0.1
python3.13-minimal 3.13.0-1ubuntu0.1
python3.13-venv 3.13.0-1ubuntu0.1
Ubuntu 22.04 LTS
python2.7 2.7.18-13ubuntu1.5+esm5
Available with Ubuntu Pro
python2.7-minimal 2.7.18-13ubuntu1.5+esm5
Available with Ubuntu Pro
python3.11 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
python3.11-minimal 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
python3.11-venv 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python2.7 2.7.18-1~20.04.7+esm6
Available with Ubuntu Pro
python2.7-minimal 2.7.18-1~20.04.7+esm6
Available with Ubuntu Pro
python3.9 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
python3.9-minimal 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
python3.9-venv 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python2.7 2.7.17-1~18.04ubuntu1.13+esm10
Available with Ubuntu Pro
python2.7-minimal 2.7.17-1~18.04ubuntu1.13+esm10
Available with Ubuntu Pro
python3.6 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.6-minimal 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.6-venv 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.7 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.7-minimal 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.7-venv 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.8 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
python3.8-minimal 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
python3.8-venv 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python2.7 2.7.12-1ubuntu0~16.04.18+esm15
Available with Ubuntu Pro
python2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm15
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python2.7 2.7.6-8ubuntu0.6+esm24
Available with Ubuntu Pro
python2.7-minimal 2.7.6-8ubuntu0.6+esm24
Available with Ubuntu Pro
python3.4 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
python3.4-minimal 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
python3.4-venv 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7488-1
CVE-2024-11168, CVE-2024-6232, CVE-2024-9287
Package Information:
https://launchpad.net/ubuntu/+source/python3.13/3.13.0-1ubuntu0.1
No comments:
Post a Comment