| Description: | Summary:
The remote host is missing an update for the 'python3-docs, python3.12' package(s) announced via the FEDORA-2024-e453a209e9 advisory.
Vulnerability Insight:
This is the sixth maintenance release of Python 3.12
====================================================
Python 3.12 is the newest major release of the Python programming language, and it contains many new features and optimizations. 3.12.6 is the latest maintenance release, containing about 90 bugfixes, build improvements and documentation changes since 3.12.5. This is an expedited release to address the following security issues:
- [gh-123067]([link moved to references]): Fix quadratic complexity in parsing `'`-quoted cookie values with backslashes by [`http.cookies`]([link moved to references]). Fixes CVE-2024-7592.
- [gh-121285]([link moved to references]): Remove backtracking from tarfile header parsing for `hdrcharset`, PAX, and GNU sparse headers. That's CVE-2024-6232.
- [gh-102988]([link moved to references]): [`email.utils.getaddresses()`]([link moved to references]) and [`email.utils.parseaddr()`]([link moved to references]) now return `('', '')` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use `strict=False` to get the old behavior, accept malformed inputs. `getattr(email.utils, 'supports_strict_parsing', False)` can be use to check if the *strict* paramater is available. This improves the CVE-2023-27043 fix.
- [gh-123270]([link moved to references]): Sanitize names in [`zipfile.Path`]([link moved to references]) to avoid infinite loops ([gh-122905]([link moved to references])) without breaking contents using legitimate characters. That's CVE-2024-8088.
Affected Software/OS:
'python3-docs, python3.12' package(s) on Fedora 39.
Solution:
Please install the updated package(s).
CVSS Score:
7.8
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
|
