ALAS-2025-808

Amazon Linux 2023 Security Advisory: ALAS-2025-808
Advisory Release Date: 2025-01-21 23:11 Pacific
Advisory Updated Date: 2025-01-24 13:15 Pacific

Severity: Important

References: CVE-2024-12254 CVE-2024-9287
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.

This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected. (CVE-2024-12254)

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. (CVE-2024-9287)

Affected Packages:

python3.12

Issue Correction:
Run dnf update python3.12 --releasever 2023.6.20250123 to update your system.

New Packages:

aarch64:
    python3.12-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-devel-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-tkinter-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-debug-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-idle-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-debugsource-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-debuginfo-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-libs-3.12.8-1.amzn2023.0.1.aarch64
    python3.12-test-3.12.8-1.amzn2023.0.1.aarch64

src:
    python3.12-3.12.8-1.amzn2023.0.1.src

x86_64:
    python3.12-devel-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-debugsource-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-tkinter-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-debug-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-idle-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-debuginfo-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-libs-3.12.8-1.amzn2023.0.1.x86_64
    python3.12-test-3.12.8-1.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2024-12254, CVE-2024-9287

Mitre: CVE-2024-12254, CVE-2024-9287

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2025-808

Additional References