Updated python3, python packages fix security vulnerabilities
Publication date: 28 Mar 2024Modification date: 28 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-6597 , CVE-2024-0450
Description
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. (CVE-2023-6597) The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450)
References
SRPMS
9/core
- python3-3.10.11-1.2.mga9
- python-2.7.18-15.2.mga9