BIT-PYTHON-MIN-2023-33595

CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function asciidecode at /Objects/unicodeobject.c...

Amazon Linux 2023 : python3, python3-devel, python3-idle (ALAS2023-2024-790)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-790 advisory. Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. dot dot...

BIT-PYTHON-2023-6597

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged...

BIT-PYTHON-2024-0450 Quoted zip-bomb protection for zipfile

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython...

BIT-PYTHON-2024-9287 Virtual environment (venv) activation scripts don't quote paths

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts ie "source venv/bin/activate". This means that...

K000148969: Python vulnerability CVE-2024-7592

Security Advisory Description There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity,...

Important: python3.9

Issue Overview: Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. dot dot sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. CVE-2007-4559...

EulerOS 2.0 SP12 : python3 (EulerOS-SA-2024-2942)

According to the versions of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : There is a MEDIUM severity vulnerability affecting CPython. The socket module provides a pure- Python fallback to the socket.socketpair function...

EulerOS 2.0 SP12 : python3 (EulerOS-SA-2024-2957)

According to the versions of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : There is a MEDIUM severity vulnerability affecting CPython. The socket module provides a pure- Python fallback to the socket.socketpair function...

Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2024-788)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-788 advisory. The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spe...

Astra Linux – Vulnerability in Python 3.11

There is a medium-severity vulnerability affecting CPython. Regular expressions that allow excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS through specifically crafted tar archives...

Astra Linux – Vulnerability in Python 3.11

There is a low-severity vulnerability affecting CPython, specifically the ‘http.cookies’ standard library module. When parsing cookies where quotes were represented by backslashes in the cookie value, the parser uses an algorithm with quadratic complexity, resulting in excessive CPU resources bei...

Tornado has an HTTP cookie parsing DoS vulnerability

The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See...

github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp

A flaw was found in jaraco/zipp. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is...

Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2024-757)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-757 advisory. There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted...

Moderate: Red Hat Security Advisory: python3.9 security update

An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

Moderate: python3.9 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

ALSA-2024:9468 Moderate: python3.9 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2024-2911)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2024-2892)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...