ALAS-2023-2317

Amazon Linux 2 Security Advisory: ALAS-2023-2317
Advisory Release Date: 2023-10-25 21:40 Pacific
Advisory Updated Date: 2024-08-28 19:04 Pacific
Severity: Important
Issue Overview:

2024-08-28: CVE-2022-48564 was added to this advisory.

2023-10-30: CVE-2020-26116 was added to this advisory.

2023-10-30: CVE-2020-27619 was added to this advisory.

A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2020-26116)

In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. (CVE-2020-27619)

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. (CVE-2022-48564)

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. (CVE-2022-48565)


Affected Packages:

python3


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update python3 to update your system.

New Packages:
aarch64:
    python3-3.7.10-1.amzn2.0.1.aarch64
    python3-libs-3.7.10-1.amzn2.0.1.aarch64
    python3-devel-3.7.10-1.amzn2.0.1.aarch64
    python3-tools-3.7.10-1.amzn2.0.1.aarch64
    python3-tkinter-3.7.10-1.amzn2.0.1.aarch64
    python3-test-3.7.10-1.amzn2.0.1.aarch64
    python3-debug-3.7.10-1.amzn2.0.1.aarch64
    python3-debuginfo-3.7.10-1.amzn2.0.1.aarch64

i686:
    python3-3.7.10-1.amzn2.0.1.i686
    python3-libs-3.7.10-1.amzn2.0.1.i686
    python3-devel-3.7.10-1.amzn2.0.1.i686
    python3-tools-3.7.10-1.amzn2.0.1.i686
    python3-tkinter-3.7.10-1.amzn2.0.1.i686
    python3-test-3.7.10-1.amzn2.0.1.i686
    python3-debug-3.7.10-1.amzn2.0.1.i686
    python3-debuginfo-3.7.10-1.amzn2.0.1.i686

src:
    python3-3.7.10-1.amzn2.0.1.src

x86_64:
    python3-3.7.10-1.amzn2.0.1.x86_64
    python3-libs-3.7.10-1.amzn2.0.1.x86_64
    python3-devel-3.7.10-1.amzn2.0.1.x86_64
    python3-tools-3.7.10-1.amzn2.0.1.x86_64
    python3-tkinter-3.7.10-1.amzn2.0.1.x86_64
    python3-test-3.7.10-1.amzn2.0.1.x86_64
    python3-debug-3.7.10-1.amzn2.0.1.x86_64
    python3-debuginfo-3.7.10-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2020-26116, CVE-2020-27619, CVE-2022-48564, CVE-2022-48565

Mitre: CVE-2020-26116, CVE-2020-27619, CVE-2022-48564, CVE-2022-48565