Python announces first security releases since becoming a CNA
Date:
Wed, 20 Mar 2024 16:42:32 +0000
Description:
The Python project has announced three security releases, 3.10.14 , 3.9.19 , and 3.8.19 .
In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts " on a local computer of one
of the release managers ", and the first since Python became a
CVE Numbering Authority (CNA). Python release team member ukasz Langa said
that being a CNA means Python is able to " ensure the quality of the vulnerability
reports is high, and that the severity estimates are accurate. " It also
allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 is an
issue with Python's tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links.
Users of affected versions should upgrade soon.
======================================================================
Link to news story:
https://lwn.net/Articles/966056/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)