[USN-7488-1] Python vulnerabilities
John Breton
john.breton at canonical.com
Tue May 6 20:05:44 UTC 2025
==========================================================================
Ubuntu Security Notice USN-7488-1
May 06, 2025
python vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python3.13: An interactive high-level object-oriented language
- python2.7: An interactive high-level object-oriented language
- python3.11: An interactive high-level object-oriented language
- python3.9: An interactive high-level object-oriented language
- python3.6: An interactive high-level object-oriented language
- python3.7: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
Details:
It was discovered that Python incorrectly handled parsing bracketed hosts.
A remote attacker could possibly use this issue to perform a Server-Side
Request Forgery (SSRF) attack. This issue only affected python 2.7 and
python3.4 on Ubuntu 14.04 LTS; python2.7 on Ubuntu 16.04 LTS;
python2.7, python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS;
python2.7 and python3.9 on Ubuntu 20.04 LTS; and python2.7 and
python3.11 on Ubuntu 22.04 LTS. (CVE-2024-11168)
It was discovered that Python allowed excessive backtracking while
parsing certain tarfile headers. A remote attacker could possibly use
this issue to cause Python to consume excessive resources, leading to
a denial of service. This issue only affected python3.4 on
Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8 on
Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; and python3.11 on
Ubuntu 22.04 LTS. (CVE-2024-6232)
It was discovered that Python incorrectly handled quoted path names
when using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code
when the virtual environment is activated. This issue only affected
python3.4 on Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8
on Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; python3.11 on
Ubuntu 22.04 LTS; and python3.13 on Ubuntu 24.10. (CVE-2024-9287)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3.13 3.13.0-1ubuntu0.1
python3.13-minimal 3.13.0-1ubuntu0.1
python3.13-venv 3.13.0-1ubuntu0.1
Ubuntu 22.04 LTS
python2.7 2.7.18-13ubuntu1.5+esm5
Available with Ubuntu Pro
python2.7-minimal 2.7.18-13ubuntu1.5+esm5
Available with Ubuntu Pro
python3.11 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
python3.11-minimal 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
python3.11-venv 3.11.0~rc1-1~22.04.1~esm2
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python2.7 2.7.18-1~20.04.7+esm6
Available with Ubuntu Pro
python2.7-minimal 2.7.18-1~20.04.7+esm6
Available with Ubuntu Pro
python3.9 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
python3.9-minimal 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
python3.9-venv 3.9.5-3ubuntu0~20.04.1+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python2.7 2.7.17-1~18.04ubuntu1.13+esm10
Available with Ubuntu Pro
python2.7-minimal 2.7.17-1~18.04ubuntu1.13+esm10
Available with Ubuntu Pro
python3.6 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.6-minimal 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.6-venv 3.6.9-1~18.04ubuntu1.13+esm3
Available with Ubuntu Pro
python3.7 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.7-minimal 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.7-venv 3.7.5-2ubuntu1~18.04.2+esm4
Available with Ubuntu Pro
python3.8 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
python3.8-minimal 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
python3.8-venv 3.8.0-3ubuntu1~18.04.2+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python2.7 2.7.12-1ubuntu0~16.04.18+esm15
Available with Ubuntu Pro
python2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm15
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python2.7 2.7.6-8ubuntu0.6+esm24
Available with Ubuntu Pro
python2.7-minimal 2.7.6-8ubuntu0.6+esm24
Available with Ubuntu Pro
python3.4 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
python3.4-minimal 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
python3.4-venv 3.4.3-1ubuntu1~14.04.7+esm14
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7488-1
CVE-2024-11168, CVE-2024-6232, CVE-2024-9287
Package Information:
https://launchpad.net/ubuntu/+source/python3.13/3.13.0-1ubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250506/62a0868c/attachment-0001.sig>
More information about the ubuntu-security-announce
mailing list