Описание
ELSA-2024-10978: python3.12 security update (IMPORTANT)
[3.12.5-2.2]
- Security fix for CVE-2024-9287 and CVE-2024-12254 Resolves: RHEL-64885, RHEL-70316
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
python3.12
3.12.5-2.el9_5.2
python3.12-debug
3.12.5-2.el9_5.2
python3.12-devel
3.12.5-2.el9_5.2
python3.12-idle
3.12.5-2.el9_5.2
python3.12-libs
3.12.5-2.el9_5.2
python3.12-test
3.12.5-2.el9_5.2
python3.12-tkinter
3.12.5-2.el9_5.2
Oracle Linux x86_64
python3.12
3.12.5-2.el9_5.2
python3.12-debug
3.12.5-2.el9_5.2
python3.12-devel
3.12.5-2.el9_5.2
python3.12-idle
3.12.5-2.el9_5.2
python3.12-libs
3.12.5-2.el9_5.2
python3.12-test
3.12.5-2.el9_5.2
python3.12-tkinter
3.12.5-2.el9_5.2
Связанные CVE
Связанные уязвимости
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.