[SECURITY] [DLA 3772-1] python3.7 security update

2024-03-2421:51:46

lists.debian.org

cve-2024-0450

python3.7

quoted-overlap zipbomb dos

tempfile.temporarydirectory

cve-2023-6597

debian 10 buster

security update

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

8.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Debian LTS Advisory DLA-3772-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2024 https://wiki.debian.org/LTS

Package : python3.7
Version : 3.7.3-2+deb10u7
CVE ID : CVE-2023-6597 CVE-2024-0450

Two vulnerabilities have been fixed in the Python 3 interpreter.

CVE-2023-6597

tempfile.TemporaryDirectory failure to remove dir

CVE-2024-0450

quoted-overlap zipbomb DoS

For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u7.

We recommend that you upgrade your python3.7 packages.

For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allpython2.7< 2.7.16-2+deb10u4python2.7_2.7.16-2+deb10u4_all.deb
Debian10arm64python3.7-dev< 3.7.3-2+deb10u7python3.7-dev_3.7.3-2+deb10u7_arm64.deb
Debian10arm64python3.7-minimal< 3.7.3-2+deb10u7python3.7-minimal_3.7.3-2+deb10u7_arm64.deb
Debian10i386libpython2.7-dev< 2.7.16-2+deb10u4libpython2.7-dev_2.7.16-2+deb10u4_i386.deb
Debian10i386libpython2.7-minimal< 2.7.16-2+deb10u4libpython2.7-minimal_2.7.16-2+deb10u4_i386.deb
Debian10allidle-python3.7< 3.7.3-2+deb10u7idle-python3.7_3.7.3-2+deb10u7_all.deb
Debian10allpython3.7< 3.7.3-2+deb10u7python3.7_3.7.3-2+deb10u7_all.deb
Debian10amd64libpython2.7-stdlib< 2.7.16-2+deb10u4libpython2.7-stdlib_2.7.16-2+deb10u4_amd64.deb
Debian10amd64libpython2.7-dev< 2.7.16-2+deb10u4libpython2.7-dev_2.7.16-2+deb10u4_amd64.deb
Debian10arm64python3.7< 3.7.3-2+deb10u7python3.7_3.7.3-2+deb10u7_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	python2.7	< 2.7.16-2+deb10u4	python2.7_2.7.16-2+deb10u4_all.deb
Debian	10	arm64	python3.7-dev	< 3.7.3-2+deb10u7	python3.7-dev_3.7.3-2+deb10u7_arm64.deb
Debian	10	arm64	python3.7-minimal	< 3.7.3-2+deb10u7	python3.7-minimal_3.7.3-2+deb10u7_arm64.deb
Debian	10	i386	libpython2.7-dev	< 2.7.16-2+deb10u4	libpython2.7-dev_2.7.16-2+deb10u4_i386.deb
Debian	10	i386	libpython2.7-minimal	< 2.7.16-2+deb10u4	libpython2.7-minimal_2.7.16-2+deb10u4_i386.deb
Debian	10	all	idle-python3.7	< 3.7.3-2+deb10u7	idle-python3.7_3.7.3-2+deb10u7_all.deb
Debian	10	all	python3.7	< 3.7.3-2+deb10u7	python3.7_3.7.3-2+deb10u7_all.deb
Debian	10	amd64	libpython2.7-stdlib	< 2.7.16-2+deb10u4	libpython2.7-stdlib_2.7.16-2+deb10u4_amd64.deb
Debian	10	amd64	libpython2.7-dev	< 2.7.16-2+deb10u4	libpython2.7-dev_2.7.16-2+deb10u4_amd64.deb
Debian	10	arm64	python3.7	< 3.7.3-2+deb10u7	python3.7_3.7.3-2+deb10u7_arm64.deb