Home / mailings [slackware-security] python3 (SSA:2024-252-01)
Posted on 09 September 2024
Slackware Security[slackware-security] python3 (SSA:2024-252-01)
New python3 packages are available for Slackware 15.0 and -current to
fix security issues.
Here are the details from the Slackware 15.0 ChangeLog:
+--------------------------+
patches/packages/python3-3.9.20-i586-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Bundled libexpat was updated to 2.6.3.
Fix quadratic complexity in parsing "-quoted cookie values with backslashes
by http.cookies.
Fixed various false positives and false negatives in IPv4Address.is_private,
IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global.
Fix urllib.parse.urlunparse() and urllib.parse.urlunsplit() for URIs with
path starting with multiple slashes and no authority.
Remove backtracking from tarfile header parsing for hdrcharset, PAX, and
GNU sparse headers.
email.utils.getaddresses() and email.utils.parseaddr() now return ('', '')
2-tuples in more situations where invalid email addresses are encountered
instead of potentially inaccurate values. Add optional strict parameter to
these two functions: use strict=False to get the old behavior, accept
malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can
be used to check if the strict paramater is available.
Sanitize names in zipfile.Path to avoid infinite loops (gh-122905) without
breaking contents using legitimate characters.
Email headers with embedded newlines are now quoted on output. The generator
will now refuse to serialize (write) headers that are unsafely folded or
delimited; see verify_generated_headers.
For more information, see:
https://pythoninsider.blogspot.com/2024/09/python-3130rc2-3126-31110-31015-3920.html
https://www.cve.org/CVERecord?id=CVE-2024-28757
https://www.cve.org/CVERecord?id=CVE-2024-45490
https://www.cve.org/CVERecord?id=CVE-2024-45491
https://www.cve.org/CVERecord?id=CVE-2024-45492
https://www.cve.org/CVERecord?id=CVE-2024-7592
https://www.cve.org/CVERecord?id=CVE-2024-4032
https://www.cve.org/CVERecord?id=CVE-2015-2104
https://www.cve.org/CVERecord?id=CVE-2024-6232
https://www.cve.org/CVERecord?id=CVE-2023-27043
https://www.cve.org/CVERecord?id=CVE-2024-8088
https://www.cve.org/CVERecord?id=CVE-2024-6923
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/python3-3.9.20-i586-1_slack15.0.txz
Updated package for Slackware x86_64 15.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/python3-3.9.20-x86_64-1_slack15.0.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python3-3.11.10-i686-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/python3-3.11.10-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 15.0 package:
7a16800df88dde3f78f1479a6a8676f7 python3-3.9.20-i586-1_slack15.0.txz
Slackware x86_64 15.0 package:
8409cec0740a46683e2bd3e74f9e1be9 python3-3.9.20-x86_64-1_slack15.0.txz
Slackware -current package:
f697f24f3107d4f6c27e7c64c2345894 d/python3-3.11.10-i686-1.txz
Slackware x86_64 -current package:
a3c5f7144feeeb7aaf3727af3104d203 d/python3-3.11.10-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg python3-3.9.20-i586-1_slack15.0.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com