python3.11-3.11.2-2.el8.2
エラータID: AXSA:2023-6479:04
リリース日:
2023/10/09 Monday - 15:05
題名:
python3.11-3.11.2-2.el8.2
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python の ssl.SSLSocket のインスタンスには、送信された暗号化
されていないデータを TLS で暗号化されたデータとして取り扱って
しまう問題があるため、リモートの攻撃者により、TLS 認証のため
に作成されたソケットをハンドシェイクの開始前に閉じてしまうこと
を介して、不正なリソースの変更および削除を可能とする脆弱性が
存在します。(CVE-2023-40217)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
追加情報:
N/A
ダウンロード:
SRPMS
- python3.11-3.11.2-2.el8.2.src.rpm
MD5: 5531abb388d3435571a6ddc463b19824
SHA-256: 976ae86761b45c2a18a6a9ba531ca77b42d790753ad131f8f1f03436d720b1f6
Size: 19.04 MB
Asianux Server 8 for x86_64
- python3.11-3.11.2-2.el8.2.i686.rpm
MD5: b71e5a744f1835d60b68c219d91d31cf
SHA-256: 2b04bfc3eba7ffe5982178ac7d94850525ec83d6ddf61720edb65c3e3eb18603
Size: 28.98 kB - python3.11-3.11.2-2.el8.2.x86_64.rpm
MD5: 3665141c038fd568ad9a56f31b30cae4
SHA-256: 96c8be48b6beffc5005f5d003ecd172de7f9a9238c9118227b5e734d16e9ea3c
Size: 28.89 kB - python3.11-debug-3.11.2-2.el8.2.i686.rpm
MD5: 99fb0d94b5b570ecb72e111153d5db65
SHA-256: 3473eed3a034827026834da22343bef0aa460bec24b60dc77f3a8a1a4da71f5c
Size: 3.18 MB - python3.11-debug-3.11.2-2.el8.2.x86_64.rpm
MD5: 39d06a805f4118ced8c4ccde09b96ec9
SHA-256: 0d4ffc09dd06b4306c401d376577026916b37662f3a291bb5a428fb284dadf8b
Size: 3.32 MB - python3.11-devel-3.11.2-2.el8.2.i686.rpm
MD5: 16d7fda6aebb0c686d5dac5342023fdd
SHA-256: 4add911b477fb613a4f5308c5fbe181c2eae63a974c407e3b21881e8be8a4ba9
Size: 246.13 kB - python3.11-devel-3.11.2-2.el8.2.x86_64.rpm
MD5: 8a4be20f1aff3ef3b3f28f5a5769ec0c
SHA-256: da8f0427048230432964717e4253de566d478287cc38a27d45dc5d114ae124f2
Size: 246.09 kB - python3.11-idle-3.11.2-2.el8.2.i686.rpm
MD5: b2c10589a4a6bb7e01f76ece5b129d8a
SHA-256: 2f758263b9714d7ab3ed5e7cf6be92efd258b28adf9b17f2eabeec4b8ad98036
Size: 1.30 MB - python3.11-idle-3.11.2-2.el8.2.x86_64.rpm
MD5: 1b85fed79503201c63c606768365fdb0
SHA-256: c571ac266d2bfc688678139498d73e99b64be2afbbd01e7a224b5f37f717b94a
Size: 1.30 MB - python3.11-libs-3.11.2-2.el8.2.i686.rpm
MD5: 682f40530d228275e2c5a878bc497493
SHA-256: bc27abde60ab7a98c906cc54f49fc7b227ba47239a4194c8edac63e81e319f3a
Size: 10.45 MB - python3.11-libs-3.11.2-2.el8.2.x86_64.rpm
MD5: 39a78ae63b046da683d224ed2423abb1
SHA-256: cb32c8bf0f3a1915d2d568c9ef7680bb359b1dc6c005cbad750fa3f051b59866
Size: 10.35 MB - python3.11-rpm-macros-3.11.2-2.el8.2.noarch.rpm
MD5: 7cb32384ff591ea36ec2cc7803a3e767
SHA-256: a6a6c4d11de1ded1e70cf06c92d239a8713399ed371c6eae12cbbbbd633cdfc9
Size: 11.09 kB - python3.11-test-3.11.2-2.el8.2.i686.rpm
MD5: cab97bc80ac8660b03386f1b65a09786
SHA-256: a009cef97937e7c289e073014e579f50f05abdd38bc5e8d226333e99e34bda74
Size: 14.94 MB - python3.11-test-3.11.2-2.el8.2.x86_64.rpm
MD5: a507940d8e9cfb1e7e53ce2f53f52a83
SHA-256: bf43d4d928ec4e173b75735d09c88ee19959ce542002423118f427b7c634d8ab
Size: 14.94 MB - python3.11-tkinter-3.11.2-2.el8.2.i686.rpm
MD5: 4150386c790eca8979b13c3c3844be75
SHA-256: 89fb1b8df339e4e7e055aa22abf902a9ed24ba4830c75394527a2fe55d6c5d22
Size: 407.50 kB - python3.11-tkinter-3.11.2-2.el8.2.x86_64.rpm
MD5: 0bb53767d7ce6d1a3c2f3d7a958b3c14
SHA-256: 3c7d59570bf1768164e9e9484244e0fb04cf1fa4623087a6dd9a9ee1822522c2
Size: 406.09 kB
English