安全公告详情

NS-SA-2025-0030

2025-03-07 15:38:21

简介

moderate: python3.11/tongsuo security update

严重级别

moderate

主题

An update for python3.11/tongsuo is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python3.11:
tongsuo:


Security Fix(es):
python3.11: A flaw was found in Python. The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers(CVE-2025-0938)
python3.11: bugfix
tongsuo: A vulnerability was found in OpenSSL. The security issue occurs in the POLY1305 MAC (message authentication code) implementation, that contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.(CVE-2023-4807)
tongsuo: A flaw was found in OpenSSL, which caused the generation or checking of long X9.42 DH keys or parameters to be much slower than expected. This issue could lead to a denial of service.(CVE-2023-5678)
tongsuo: A flaw was found in OpenSSL. The optional ContentInfo fields can be set to null, even if the "type" is a valid value, which can lead to a null dereference error that may cause a denial of service.(CVE-2024-0727)
tongsuo: A flaw was found in OpenSSL. A malicious client can trigger an uncontrolled memory consumption, resulting in a Denial of Service. This issue occurs due to OpenSSL's TLSv3.1 session cache going into an incorrect state, leading to it failing to flush properly as it fills. OpenSSL must be configured with the non-default SSL_OP_NO_TICKET option enabled to be vulnerable. This issue only affects TLSv1.3 servers, while TLS clients are not affected.(CVE-2024-2511)
tongsuo: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.01B6.

影响组件

  • python3.11
  • tongsuo

影响产品

  • CGSL MAIN 7.02

更新包

{"fix":[{"product":"CGSL MAIN 7.02","pkgs":[{"binary":["python3-3.11.6-2.zncgsl7.2.x86_64.rpm","python3-devel-3.11.6-2.zncgsl7.2.x86_64.rpm","python3-libs-3.11.6-2.zncgsl7.2.x86_64.rpm","python3-tkinter-3.11.6-2.zncgsl7.2.x86_64.rpm","python-unversioned-command-3.11.6-2.zncgsl7.2.noarch.rpm"],"source":"python3.11-3.11.6-2.zncgsl7.2.src.rpm"},{"binary":["tongsuo-8.3.3-5.zncgsl7.16.x86_64.rpm","tongsuo-core-8.3.3-5.zncgsl7.16.x86_64.rpm"],"source":"tongsuo-8.3.3-5.zncgsl7.16.src.rpm"}]}]}
CGSL MAIN 7.02
  • python3.11-3.11.6-2.zncgsl7.2.src.rpm
    • python3-3.11.6-2.zncgsl7.2.x86_64.rpm
    • python3-devel-3.11.6-2.zncgsl7.2.x86_64.rpm
    • python3-libs-3.11.6-2.zncgsl7.2.x86_64.rpm
    • python3-tkinter-3.11.6-2.zncgsl7.2.x86_64.rpm
    • python-unversioned-command-3.11.6-2.zncgsl7.2.noarch.rpm
  • tongsuo-8.3.3-5.zncgsl7.16.src.rpm
    • tongsuo-8.3.3-5.zncgsl7.16.x86_64.rpm
    • tongsuo-core-8.3.3-5.zncgsl7.16.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108