{"id":"MGASA-2024-0084","summary":"Updated python python3 packages fix security vulnerabilities","details":"An issue was discovered in Python before 3.11.1. An unnecessary\nquadratic algorithm exists in one path when processing some inputs to\nthe IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name\nbeing presented to the decoder could lead to a CPU denial of service.\nHostnames are often supplied by remote servers that could be controlled\nby a malicious actor; in such a scenario, they could trigger excessive\nCPU consumption on the client attempting to make use of an\nattacker-supplied supposed hostname. (CVE-2022-45061)\nAn XML External Entity (XXE) issue was discovered in Python through\n3.9.1. The plistlib module no longer accepts entity declarations in XML\nplist files to avoid XML vulnerabilities. (CVE-2022-48565)\nAn issue was discovered in compare_digest in Lib/hmac.py in Python\nthrough 3.9.1. Constant-time-defeating optimisations were possible in\nthe accumulator variable in hmac.compare_digest. (CVE-2022-48566)\nAn issue in the urllib.parse component of Python before 3.11.4 allows\nattackers to bypass blocklisting methods by supplying a URL that starts\nwith blank characters. (CVE-2023-24329)\nAn issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18,\n3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects\nservers (such as HTTP servers) that use TLS client authentication. If a\nTLS server-side socket is created, receives data into the socket buffer,\nand then is closed quickly, there is a brief window where the SSLSocket\ninstance will detect the socket as \"not connected\" and won't initiate a\nhandshake, but buffered data will still be readable from the socket\nbuffer. This data will not be authenticated if the server-side TLS peer\nis expecting client certificate authentication, and is indistinguishable\nfrom valid TLS stream data. Data is limited in size to the amount that\nwill fit in the buffer. (The TLS connection cannot directly be used for\ndata exfiltration because the vulnerable code path requires that the\nconnection be closed on initialization of the SSLSocket).\n(CVE-2023-40217)\n","modified":"2026-01-31T08:06:52.388630Z","published":"2024-03-23T01:00:08Z","related":["CVE-2022-45061","CVE-2022-48565","CVE-2022-48566","CVE-2023-24329","CVE-2023-40217"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0084.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31000"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-5888-1"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2023:2763"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2023:2860"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2023:3556"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2023:3591"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-6139-1"}],"affected":[{"package":{"name":"python","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.18-15.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0084.json"}},{"package":{"name":"python3","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.10.11-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0084.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}