Gentoo update for Python, PyPy3

1) Improper input validation

EUVDB-ID: #VU88577

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-6507

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Third Party (Python) component in Oracle Communications Cloud Native Core Network Data Analytics Function. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) UNIX symbolic link following

EUVDB-ID: #VU87185

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-6597

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a local user to delete arbitrary files on the system.

The vulnerability exists due to a symlink following issue during cleanup when handling temporary files. A local user can create a specially crafted symbolic link to a critical file on the system and delete it.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU72618

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-24329

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cleartext transmission of sensitive information

EUVDB-ID: #VU80228

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-40217

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Path traversal

EUVDB-ID: #VU80585

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-41105

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource exhaustion

EUVDB-ID: #VU87685

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-0450

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
dev-lang/python to version: 7.3.16
dev-python/pypy3 to version: 7.3.16

Vulnerable software versions

Gentoo Linux: All versions

dev-python/pypy3: before 7.3.16

dev-lang/python: before 7.3.16

CPE2.3

• cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
• cpe:2.3:a:gentoo:dev-python_pypy3:*:*:*:*:*:gentoo_linux:*:*
• cpe:2.3:a:gentoo:dev-lang_python:*:*:*:*:*:gentoo_linux:*:*

External links

https://security.gentoo.org/glsa/202405-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.