Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#21677 closed enhancement (fixed)

python3-3.13.4 (Wait for LFS)

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (8)

comment:1 by Xi Ruoyao, 9 months ago

Security content in this release:

  • gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links.
  • gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler.
  • gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service.

I don't know if our security patch has fixed all of these.

comment:2 by Douglas R. Reno, 9 months ago

The security patch doesn't fix those, it only fixes CVE-2025-4516 (which is the unicode-escape vulnerability)

comment:3 by Xi Ruoyao, 9 months ago

Priority: normalelevated

:(

comment:4 by Douglas R. Reno, 9 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:5 by Bruce Dubbs, 9 months ago

I'll have that in LFS in a couple of hours.

comment:6 by Douglas R. Reno, 9 months ago

Sounds good! I'll get it staged over here for when it's completed

comment:7 by Douglas R. Reno, 9 months ago

Resolution: fixed
Status: assignedclosed

Fixed at 68926c590ea71b5d495491e20157a70ff18eba97

comment:8 by Douglas R. Reno, 9 months ago

Priority: elevatedhigh

SA-12.3-047 issued

Promoted to Highest due to one of the vulnerabilities being rated at 9.8.

Note: See TracTickets for help on using tickets.