Navigation
Recherche
|
Python announces first security releases since becoming a CNA
mercredi 20 mars 2024, 17:42 , par LWN.net
The Python project has announced three security releases, 3.10.14,
3.9.19, and 3.8.19. In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of GitHub Actions to perform public builds instead of building artifacts 'on a local computer of one of the release managers', and the first since Python became a CVE Numbering Authority (CNA). Python release team member Łukasz Langa said that being a CNA means Python is able to 'ensure the quality of the vulnerability reports is high, and that the severity estimates are accurate.' It also allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an issue with Python's tempfile.TemporaryDirectory class which could be exploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.
https://lwn.net/Articles/966056/
|
56 sources (32 en français)
Date Actuelle
ven. 22 nov. - 06:15 CET
|