Amazon Linux 2023 Security Advisory: ALAS-2024-500
Advisory Release Date: 2024-01-19 01:31 Pacific
Advisory Updated Date: 2025-01-16 23:13 Pacific
Severity:
Medium
Issue Overview:
2025-01-16: CVE-2024-11168 was added to this advisory.
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. (CVE-2023-24329)
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. (CVE-2024-11168)
Affected Packages:
python3.11
Issue Correction:
Run dnf update python3.11 --releasever 2023.3.20240122 to update your system.
New Packages:
aarch64:
python3.11-3.11.6-1.amzn2023.0.1.aarch64
python3.11-idle-3.11.6-1.amzn2023.0.1.aarch64
python3.11-devel-3.11.6-1.amzn2023.0.1.aarch64
python3.11-tkinter-3.11.6-1.amzn2023.0.1.aarch64
python3.11-debugsource-3.11.6-1.amzn2023.0.1.aarch64
python3.11-debug-3.11.6-1.amzn2023.0.1.aarch64
python3.11-debuginfo-3.11.6-1.amzn2023.0.1.aarch64
python3.11-libs-3.11.6-1.amzn2023.0.1.aarch64
python3.11-test-3.11.6-1.amzn2023.0.1.aarch64
src:
python3.11-3.11.6-1.amzn2023.0.1.src
x86_64:
python3.11-tkinter-3.11.6-1.amzn2023.0.1.x86_64
python3.11-3.11.6-1.amzn2023.0.1.x86_64
python3.11-devel-3.11.6-1.amzn2023.0.1.x86_64
python3.11-debugsource-3.11.6-1.amzn2023.0.1.x86_64
python3.11-idle-3.11.6-1.amzn2023.0.1.x86_64
python3.11-debug-3.11.6-1.amzn2023.0.1.x86_64
python3.11-debuginfo-3.11.6-1.amzn2023.0.1.x86_64
python3.11-libs-3.11.6-1.amzn2023.0.1.x86_64
python3.11-test-3.11.6-1.amzn2023.0.1.x86_64