Advisories » MGASA-2024-0096

Updated python3, python packages fix security vulnerabilities

Publication date: 28 Mar 2024
Modification date: 28 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-6597 , CVE-2024-0450

Description

The tempfile.TemporaryDirectory class would dereference symlinks during
cleanup of permissions-related errors. This means users which can run
privileged programs are potentially able to modify permissions of files
referenced by symlinks in some circumstances. (CVE-2023-6597)
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which
exploit the zip format to create a zip-bomb with a high compression
ratio. The fixed versions of CPython makes the zipfile module reject zip
archives which overlap entries in the archive. (CVE-2024-0450)
                

References

SRPMS

9/core