安全公告详情

NS-SA-2025-0074

2025-05-28 09:42:10

简介

moderate: cloud-init/python3.11 security update

严重级别

moderate

主题

An update for cloud-init/python3.11 is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

cloud-init:
python3.11:


Security Fix(es):
cloud-init: A vulnerability was found in cloud-init. With this flaw, sensitive data could be exposed in world-readable cloud-init logs when schema failures are reported. This issue leak could include hashed passwords.(CVE-2022-2084)
cloud-init: bugfix
python3.11: A vulnerability was found in Python. A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time that certificates are loaded into the SSLContext, such as during the TLS handshake with a configured certificate director(CVE-2024-0397)
python3.11: A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from the IANA Special-Purpose Address Registries(CVE-2024-4032)
python3.11: A regular expression denial of service (ReDos) vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive(CVE-2024-6232)
python3.11: A flaw was found in the `http.cookies` module in the Python package. When parsing cookies that contain backslashes, under certain circumstances, the module uses an algorithm with quadratic complexity, leading to excessive CPU consumpti(CVE-2024-7592)
python3.11: A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated(CVE-2024-9287)
python3.11: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.

影响组件

  • cloud-init
  • python3.11

影响产品

  • CGSL MAIN 7.02

更新包

{"fix":[{"product":"CGSL MAIN 7.02","pkgs":[{"binary":["cloud-init-19.1.17-3.zncgsl7.6.noarch.rpm"],"source":"cloud-init-19.1.17-3.zncgsl7.6.src.rpm"},{"binary":["python3-3.11.6-2.zncgsl7.10.x86_64.rpm","python3-devel-3.11.6-2.zncgsl7.10.x86_64.rpm","python3-libs-3.11.6-2.zncgsl7.10.x86_64.rpm","python3-tkinter-3.11.6-2.zncgsl7.10.x86_64.rpm","python-unversioned-command-3.11.6-2.zncgsl7.10.noarch.rpm"],"source":"python3.11-3.11.6-2.zncgsl7.10.src.rpm"}]}]}
CGSL MAIN 7.02
  • cloud-init-19.1.17-3.zncgsl7.6.src.rpm
    • cloud-init-19.1.17-3.zncgsl7.6.noarch.rpm
  • python3.11-3.11.6-2.zncgsl7.10.src.rpm
    • python3-3.11.6-2.zncgsl7.10.x86_64.rpm
    • python3-devel-3.11.6-2.zncgsl7.10.x86_64.rpm
    • python3-libs-3.11.6-2.zncgsl7.10.x86_64.rpm
    • python3-tkinter-3.11.6-2.zncgsl7.10.x86_64.rpm
    • python-unversioned-command-3.11.6-2.zncgsl7.10.noarch.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108