ELSA-2023-3550

Опубликовано: 26 июн. 2023

Источник: oracle-oval

Платформа: Oracle Linux 6

Описание

ELSA-2023-3550: python security update (IMPORTANT)

[2.6.6-68.0.3]

ASCII newline and tab characters are stripped from the URL [CVE-2022-0391][Orabug: 35479836]
Start stripping C0 control and space chars in urlsplit [CVE-2023-24329][Orabug: 35479836]

Обновленные пакеты

Oracle Linux 6

Oracle Linux x86_64

python

2.6.6-68.0.3.el6_10

python-devel

2.6.6-68.0.3.el6_10

python-libs

2.6.6-68.0.3.el6_10

python-test

2.6.6-68.0.3.el6_10

python-tools

2.6.6-68.0.3.el6_10

tkinter

2.6.6-68.0.3.el6_10

Oracle Linux i686

python

2.6.6-68.0.3.el6_10

python-devel

2.6.6-68.0.3.el6_10

python-libs

2.6.6-68.0.3.el6_10

python-test

2.6.6-68.0.3.el6_10

python-tools

2.6.6-68.0.3.el6_10

tkinter

2.6.6-68.0.3.el6_10

Связанные CVE

CVE-2022-0391

CVE-2023-24329

Ссылки на источники

Связанные уязвимости

CVE-2022-0391

CVSS3: 7.5

ubuntu

больше 3 лет назад

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.