| Description: | Summary:
The remote host is missing an update for the 'python3.11' package(s) announced via the FEDORA-2024-37d9c902dd advisory.
Vulnerability Insight:
This is a security release of Python 3.11
-----------------------------------------
**Note:** The release you're looking at is Python 3.11.10, a **security bugfix release** for the legacy 3.11 series. *Python 3.12* is now the latest feature release series of Python 3.
Security content in this release
--------------------------------
- [gh-123067]([link moved to references]): Fix quadratic complexity in parsing `'`-quoted cookie values with backslashes by [`http.cookies`]([link moved to references]). Fixes CVE-2024-7592.
- [gh-113171]([link moved to references]): Fixed various false positives and false negatives in IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032.
- [gh-67693]([link moved to references]): Fix [`urllib.parse.urlunparse()`]([link moved to references]) and [`urllib.parse.urlunsplit()`]([link moved to references]) for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.
- [gh-121957]([link moved to references]): Fixed missing audit events around interactive use of Python, now also properly firing for `python -i`, as well as for `python -m asyncio`. The event in question is `cpython.run_stdin`.
- [gh-122133]([link moved to references]): Authenticate the socket connection for the `socket.socketpair()` fallback on platforms where `AF_UNIX` is not available like Windows.
- [gh-121285]([link moved to references]): Remove backtracking from tarfile header parsing for `hdrcharset`, PAX, and GNU sparse headers. That's CVE-2024-6232.
- [gh-114572]([link moved to references]): [`ssl.SSLContext.cert_store_stats()`]([link moved to references]) and [`ssl.SSLContext.get_ca_certs()`]([link moved to references]) now correctly lock access to the certificate store, when the [`ssl.SSLContext`]([link moved to references]) is shared across multiple threads.
- [gh-102988]([link moved to references]): [`email.utils.getaddresses()`]([link moved to references]) and [`email.utils.parseaddr()`]([link moved to references]) now return `('', '')` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use `strict=False` to get the old behavior, accept malformed inputs. `getattr(email.utils, 'supports_strict_parsing', False)` can be use to check if the *strict* paramater is available. This improves the CVE-2023-27043 fix.
- [gh-123270]([link moved to references]): Sanitize names in [`zipfile.Path`]([link moved to references]) to avoid infinite loops ([gh-122905]([link moved to references])) without breaking contents using legitimate characters. That's CVE-2024-8088.
- [gh-121650]([link moved to references]): [`email`]([link moved to references]) headers with embedded newlines are now quoted on output. The [`generator`]([link moved to references]) will now refuse to serialize ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'python3.11' package(s) on Fedora 39.
Solution:
Please install the updated package(s).
CVSS Score:
7.8
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
|
