Amazon Linux 2 Security Advisory: ALASPYTHON3.8-2023-008
Advisory Release Date: 2023-08-21 21:00 Pacific
Advisory Updated Date: 2023-09-25 22:04 Pacific
A flaw was found in python. In Lib/tarfile.py an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)
A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-14422)
Affected Packages:
python38
Note:
This advisory is applicable to Amazon Linux 2 - Python3.8 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python38 to update your system.
aarch64:
python38-3.8.5-1.amzn2.0.1.aarch64
python38-libs-3.8.5-1.amzn2.0.1.aarch64
python38-devel-3.8.5-1.amzn2.0.1.aarch64
python38-tools-3.8.5-1.amzn2.0.1.aarch64
python38-tkinter-3.8.5-1.amzn2.0.1.aarch64
python38-test-3.8.5-1.amzn2.0.1.aarch64
python38-debug-3.8.5-1.amzn2.0.1.aarch64
python38-debuginfo-3.8.5-1.amzn2.0.1.aarch64
src:
python38-3.8.5-1.amzn2.0.1.src
x86_64:
python38-3.8.5-1.amzn2.0.1.x86_64
python38-libs-3.8.5-1.amzn2.0.1.x86_64
python38-devel-3.8.5-1.amzn2.0.1.x86_64
python38-tools-3.8.5-1.amzn2.0.1.x86_64
python38-tkinter-3.8.5-1.amzn2.0.1.x86_64
python38-test-3.8.5-1.amzn2.0.1.x86_64
python38-debug-3.8.5-1.amzn2.0.1.x86_64
python38-debuginfo-3.8.5-1.amzn2.0.1.x86_64