[SECURITY] Fedora 39 Update: rust-pyo3-macros-backend-0.22.4-1.fc39

Code generation for PyO3 package...

Fedora 40 : rust-pyo3 / rust-pyo3-build-config / rust-pyo3-ffi / etc (2024-23292e9f6d)

The remote Fedora 40 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-23292e9f6d advisory. Update pyo3 to version 0.22.4. This version addresses a potential use-after-free RUSTSEC-2024-0378. Tenable has extracted the preceding description block...

Duplicate Advisory: PyO3 has a risk of use-after-free in `borrowed` reads from Python weak references

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6jgw-rgmm-7cv6. This link is maintained to preserve external references. Original Advisory The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the we...

PT-2024-39977 · Pypi · Pyo3

Name of the Vulnerable Software and Affected Versions: PyO3 versions prior to 0.22.4 PyO3 version 0.22.4 with mitigated functions, to be fully removed in 0.23 Description: A flaw was found in PyO3, causing a use-after-free issue. This can lead to memory corruption or crashes through unsound...

PT-2024-40267 · Pypi · Pyo3

Name of the Vulnerable Software and Affected Versions: PyO3 versions prior to 0.23 Description: The issue concerns a family of functions in PyO3 that read "borrowed" values from Python weak references. These functions were fundamentally unsound because the weak reference does not have ownership o...

Risk of use-after-free in `borrowed` reads from Python weak references

The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling. In PyO3 0.22.4...

CVE-2024-32650

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a closenotify message immediately after clienthello, the server's completeio will get in an infinite...

CVE-2024-32650

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a closenotify message immediately after clienthello, the server's completeio will get in an infinite...

CVE-2024-32650

CVE-2024-32650 affects rustls:complete_io in a blocking rustls server can enter an infinite loop if a client sends close_notify right after client_hello, leading to a denial of service. Fixes exist in rustls releases 0.23.5, 0.22.4, and 0.21.11. Remediation is to upgrade to one of these versions ...

CVE-2024-32650

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a closenotify message immediately after clienthello, the server's completeio will get in an infinite...

PT-2024-24744

Name of the Vulnerable Software and Affected Versions rustls versions prior to 0.21.11 rustls versions prior to 0.22.4 rustls versions prior to 0.23.5 Description The rustls::ConnectionCommon::complete io function could fall into an infinite loop based on network input. When using a blocking rust...

com.alejandrohdezma:http4s-munit-testcontainers_2.13 (=0.8.0), com.alejandrohdezma:http4s-munit_2.13 (=0.8.0) +54 more potentially affected by CVE-2021-41084 via org.http4s:http4s-client_2.13 (>=0.22.0 <=0.22.4)

org.http4s:http4s-client2.13 MAVEN version =0.22.0, =2.0.0, =0.12.0, =0.17.0, =0.12.0, =0.17.0, =0.12.0, =0.12.0, =0.17.0, =0.17.0, =0.12.0, =0.17.0-11-3359289, =0.17.0, =0.17.1 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

com.alejandrohdezma:http4s-munit-testcontainers_2.12 (=0.8.0), com.alejandrohdezma:http4s-munit_2.12 (=0.8.0) +46 more potentially affected by CVE-2021-41084 via org.http4s:http4s-client_2.12 (>=0.22.0 <=0.22.4)

org.http4s:http4s-client2.12 MAVEN version =0.22.0, =0.12.0, =0.17.0, =0.12.0, =0.17.0, =0.12.0, =0.12.0, =0.17.0, =0.17.0, =0.12.0, =0.17.0-11-3359289, =0.12.0, =0.17.19 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

com.avast:sst-bundle-monix-http4s-blaze_3 (>=0.16.0 <=0.19.3), com.avast:sst-bundle-monix-http4s-ember_3 (>=0.17.0 <=0.19.3) +18 more potentially affected by CVE-2021-41084 via org.http4s:http4s-client_3 (>=0.22.0 <=0.22.4)

org.http4s:http4s-client3 MAVEN version =0.22.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =4.0.3, =0.22.0, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...