Amazon Linux 2 Security Advisory: ALAS-2025-2797
Advisory Release Date: 2025-03-13 01:30 Pacific
Advisory Updated Date: 2025-03-25 16:12 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450)
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. (CVE-2024-11168)
There is a MEDIUM severity vulnerability affecting CPython.
The
email module didn't properly quote newlines for email headers when
serializing an email message allowing for header injection when an email
is serialized. (CVE-2024-6923)
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.
When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value. (CVE-2024-7592)
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. (CVE-2025-0938)
Affected Packages:
python
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python to update your system.
aarch64:
python-2.7.18-1.amzn2.0.11.aarch64
python-libs-2.7.18-1.amzn2.0.11.aarch64
python-devel-2.7.18-1.amzn2.0.11.aarch64
python-tools-2.7.18-1.amzn2.0.11.aarch64
tkinter-2.7.18-1.amzn2.0.11.aarch64
python-test-2.7.18-1.amzn2.0.11.aarch64
python-debug-2.7.18-1.amzn2.0.11.aarch64
python-debuginfo-2.7.18-1.amzn2.0.11.aarch64
i686:
python-2.7.18-1.amzn2.0.11.i686
python-libs-2.7.18-1.amzn2.0.11.i686
python-devel-2.7.18-1.amzn2.0.11.i686
python-tools-2.7.18-1.amzn2.0.11.i686
tkinter-2.7.18-1.amzn2.0.11.i686
python-test-2.7.18-1.amzn2.0.11.i686
python-debug-2.7.18-1.amzn2.0.11.i686
python-debuginfo-2.7.18-1.amzn2.0.11.i686
src:
python-2.7.18-1.amzn2.0.11.src
x86_64:
python-2.7.18-1.amzn2.0.11.x86_64
python-libs-2.7.18-1.amzn2.0.11.x86_64
python-devel-2.7.18-1.amzn2.0.11.x86_64
python-tools-2.7.18-1.amzn2.0.11.x86_64
tkinter-2.7.18-1.amzn2.0.11.x86_64
python-test-2.7.18-1.amzn2.0.11.x86_64
python-debug-2.7.18-1.amzn2.0.11.x86_64
python-debuginfo-2.7.18-1.amzn2.0.11.x86_64