ALAS-2024-788

Amazon Linux 2023 Security Advisory: ALAS-2024-788
Advisory Release Date: 2024-12-05 20:34 Pacific
Advisory Updated Date: 2024-12-16 13:30 Pacific
Severity: Medium
Issue Overview:

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. (CVE-2023-27043)

A defect was discovered in the Python "ssl" module where there is a memory
race condition with the ssl.SSLContext methods "cert_store_stats()" and
"get_ca_certs()". The race condition can be triggered if the methods are
called at the same time as certificates are loaded into the SSLContext,
such as during the TLS handshake with a certificate directory configured.
This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. (CVE-2024-0397)

There is a severity vulnerability affecting the CPython "zipfile"
module.

When iterating over names of entries in a zip archive (for example, methods
of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected. (CVE-2024-8088)


Affected Packages:

python3.11


Issue Correction:
Run dnf update python3.11 --releasever 2023.6.20241212 to update your system.

New Packages:
aarch64:
    python3.11-devel-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-tkinter-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-debug-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-idle-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-debugsource-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-debuginfo-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-libs-3.11.6-1.amzn2023.0.5.aarch64
    python3.11-test-3.11.6-1.amzn2023.0.5.aarch64

src:
    python3.11-3.11.6-1.amzn2023.0.5.src

x86_64:
    python3.11-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-debugsource-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-devel-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-debug-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-idle-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-tkinter-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-debuginfo-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-libs-3.11.6-1.amzn2023.0.5.x86_64
    python3.11-test-3.11.6-1.amzn2023.0.5.x86_64

Additional References

Red Hat: CVE-2023-27043, CVE-2024-0397, CVE-2024-8088

Mitre: CVE-2023-27043, CVE-2024-0397, CVE-2024-8088