Ubuntu alert USN-7348-2 (python3.5, python3.8)
| From: | Fabian Toepfer <fabian.toepfer@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7348-2] Python regression | |
| Date: | Mon, 24 Mar 2025 23:04:07 +0100 | |
| Message-ID: | <799206a9-d1d0-480d-adeb-13ffdf02c4a5@canonical.com> |
========================================================================== Ubuntu Security Notice USN-7348-2 March 24, 2025 python3.5, python3.8 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: USN-7348-1 introduced a regression in Python. Software Description: - python3.8: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language Details: USN-7348-1 fixed vulnerabilities in Python. The update introduced a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-4032) It was discovered that Python incorrectly handled quoting path names when using the venv module. A local attacker able to control virtual environments could possibly use this issue to execute arbitrary code when the virtual environment is activated. (CVE-2024-9287) It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-11168) It was discovered that Python incorrectly handled parsing domain names that included square brackets. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS python3.8 3.8.10-0ubuntu1~20.04.18 python3.8-minimal 3.8.10-0ubuntu1~20.04.18 python3.8-venv 3.8.10-0ubuntu1~20.04.18 Ubuntu 16.04 LTS python3.5 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro python3.5-venv 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro Ubuntu 14.04 LTS python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro python3.5-venv 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7348-2 https://ubuntu.com/security/notices/USN-7348-1 CVE-2025-0938 Package Information: https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ub...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmfh1tgFAwAAAAAACgkQCAvK1QvD6SDQ 3A/+JUT8Ro3ZbbM6Mv+SJydKz/DBX7xfUiwm7WHbYZtcc+fck922Mi7U1n6CGLK6rSv3LN1eFXKt RT8wpsQAnWcs6bp/e2ZjuWYcG5Ajr9iRaZmGr1aqgg3RUEFmlYvu4lh4rllfeNvYLhHFzbcR38c6 7XE4q9IfDaObv8eRBWjCqle8eAkSV5wix1+6pqC6VTXplkiJyrdy0tG8adA6kYlNwyCH18r2lqHC MG2GTI0QZz25QLIODqaay0BxNz5sudJQoBummBUErTj8HafRHJL8RUCi/hHN6TfahNGvJzB4KG1Z CEwf5NTRKr1X83FaJLKgLqpFfE0GkVwD0FUPw8/uGfLFsB0I7sAtHPH0JGJ9F+mE7yeyZhTNmosb nrPm3Z0YWbB1lqI7AAsjOOIqepY+4rWOK0Tzws3pGtc63uJOlN1IsTgUNDEfCS6p7UE66UiqQ5Jz T1sgkeRY9DU+PZW2kREcI/SkyBhx0m1ZtSgBZ9dljT/9f9rf4hxPDh20vx6cUTikmQ2EoF6r/h7U eLPrq3fA78uEJ3AgEpoK2slvM5OpbCy46pv4UKNBB+YtRsCa8l0hwvxZ6WctNjMaKg0KfezSH8Zb od1+c1Z1uOaJr0OS73Qv+H7fLru43vJ8GvgjJvyYlBpBd+/Clmp5cgskWBsl9aNJ8BIbrJ2cXSsr zxY= =/BmH -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)