ALASPYTHON3.8-2024-016

Amazon Linux 2 Security Advisory: ALASPYTHON3.8-2024-016
Advisory Release Date: 2024-11-08 17:57 Pacific
Advisory Updated Date: 2024-11-15 13:00 Pacific
Severity: Important
Issue Overview:

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. (CVE-2007-4559)

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." (CVE-2021-28861)

A defect was discovered in the Python "ssl" module where there is a memory
race condition with the ssl.SSLContext methods "cert_store_stats()" and
"get_ca_certs()". The race condition can be triggered if the methods are
called at the same time as certificates are loaded into the SSLContext,
such as during the TLS handshake with a certificate directory configured.
This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. (CVE-2024-0397)

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450)

The "ipaddress" module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn't be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. (CVE-2024-4032)

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. (CVE-2024-6232)

There is a MEDIUM severity vulnerability affecting CPython.

The
email module didn't properly quote newlines for email headers when
serializing an email message allowing for header injection when an email
is serialized. (CVE-2024-6923)

There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.


When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value. (CVE-2024-7592)

There is a severity vulnerability affecting the CPython "zipfile"
module.

When iterating over names of entries in a zip archive (for example, methods
of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected. (CVE-2024-8088)


Affected Packages:

python38


Note:

This advisory is applicable to Amazon Linux 2 - Python3.8 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update python38 to update your system.

New Packages:
aarch64:
    python38-3.8.20-1.amzn2.0.1.aarch64
    python38-libs-3.8.20-1.amzn2.0.1.aarch64
    python38-devel-3.8.20-1.amzn2.0.1.aarch64
    python38-tools-3.8.20-1.amzn2.0.1.aarch64
    python38-tkinter-3.8.20-1.amzn2.0.1.aarch64
    python38-test-3.8.20-1.amzn2.0.1.aarch64
    python38-debug-3.8.20-1.amzn2.0.1.aarch64
    python38-debuginfo-3.8.20-1.amzn2.0.1.aarch64

src:
    python38-3.8.20-1.amzn2.0.1.src

x86_64:
    python38-3.8.20-1.amzn2.0.1.x86_64
    python38-libs-3.8.20-1.amzn2.0.1.x86_64
    python38-devel-3.8.20-1.amzn2.0.1.x86_64
    python38-tools-3.8.20-1.amzn2.0.1.x86_64
    python38-tkinter-3.8.20-1.amzn2.0.1.x86_64
    python38-test-3.8.20-1.amzn2.0.1.x86_64
    python38-debug-3.8.20-1.amzn2.0.1.x86_64
    python38-debuginfo-3.8.20-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2007-4559, CVE-2021-28861, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-8088

Mitre: CVE-2007-4559, CVE-2021-28861, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-8088