Anolis OS update for python39:3.9 module

Published: 2025-09-05

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2025-47273 CVE-2025-8194
CWE-ID	CWE-22 CWE-835
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Anolis OS Operating systems & Components / Operating system python39-setuptools-wheel Operating systems & Components / Operating system package or component python39-setuptools Operating systems & Components / Operating system package or component python39-rpm-macros Operating systems & Components / Operating system package or component python39-tkinter Operating systems & Components / Operating system package or component python39-test Operating systems & Components / Operating system package or component python39-libs Operating systems & Components / Operating system package or component python39-idle Operating systems & Components / Operating system package or component python39-devel Operating systems & Components / Operating system package or component python39-debug Operating systems & Components / Operating system package or component python39 Operating systems & Components / Operating system package or component python39-pip-wheel Operating systems & Components / Operating system package or component python39-pip Operating systems & Components / Operating system package or component python39-idna Operating systems & Components / Operating system package or component python39-psycopg2-tests Operating systems & Components / Operating system package or component python39-psycopg2-doc Operating systems & Components / Operating system package or component python39-psycopg2 Operating systems & Components / Operating system package or component python39-cryptography Operating systems & Components / Operating system package or component python39-urllib3 Operating systems & Components / Operating system package or component python39-requests Operating systems & Components / Operating system package or component python39-pytest Operating systems & Components / Operating system package or component python39-scipy Operating systems & Components / Operating system package or component python39-mod_wsgi Operating systems & Components / Operating system package or component python39-numpy-doc Operating systems & Components / Operating system package or component python39-numpy-f2py Operating systems & Components / Operating system package or component python39-numpy Operating systems & Components / Operating system package or component python39-wheel-wheel Operating systems & Components / Operating system package or component python39-wheel Operating systems & Components / Operating system package or component python39-wcwidth Operating systems & Components / Operating system package or component python39-toml Operating systems & Components / Operating system package or component python39-six Operating systems & Components / Operating system package or component python39-pysocks Operating systems & Components / Operating system package or component python39-pyparsing Operating systems & Components / Operating system package or component python39-pycparser Operating systems & Components / Operating system package or component python39-py Operating systems & Components / Operating system package or component python39-ply Operating systems & Components / Operating system package or component python39-pluggy Operating systems & Components / Operating system package or component python39-packaging Operating systems & Components / Operating system package or component python39-more-itertools Operating systems & Components / Operating system package or component python39-iniconfig Operating systems & Components / Operating system package or component python39-chardet Operating systems & Components / Operating system package or component python39-attrs Operating systems & Components / Operating system package or component python39-PyMySQL Operating systems & Components / Operating system package or component python39-pyyaml Operating systems & Components / Operating system package or component python39-pybind11-devel Operating systems & Components / Operating system package or component python39-pybind11 Operating systems & Components / Operating system package or component python39-psutil Operating systems & Components / Operating system package or component python39-lxml Operating systems & Components / Operating system package or component python39-cffi Operating systems & Components / Operating system package or component python39-Cython Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU109840

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-47273

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences in package_index.py. A remote attacker can trick the victim into installing a specially crafted script and overwrite arbitrary files on the system, leading to code execution.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python39-setuptools-wheel: before 50.3.2-7

python39-setuptools: before 50.3.2-7

python39-rpm-macros: before 3.9.20-2.0.1

python39-tkinter: before 3.9.20-2.0.1

python39-test: before 3.9.20-2.0.1

python39-libs: before 3.9.20-2.0.1

python39-idle: before 3.9.20-2.0.1

python39-devel: before 3.9.20-2.0.1

python39-debug: before 3.9.20-2.0.1

python39: before 3.9.20-2.0.1

python39-pip-wheel: before 20.2.4-9

python39-pip: before 20.2.4-9

python39-idna: before 2.10-4

python39-psycopg2-tests: before 2.8.6-3.0.1

python39-psycopg2-doc: before 2.8.6-3.0.1

python39-psycopg2: before 2.8.6-3.0.1

python39-cryptography: before 3.3.1-3

python39-urllib3: before 1.25.10-5

python39-requests: before 2.25.0-3

python39-pytest: before 6.0.2-2.0.1

python39-scipy: before 1.5.4-5.0.1

python39-mod_wsgi: before 4.7.1-7

python39-numpy-doc: before 1.19.4-3.0.1

python39-numpy-f2py: before 1.19.4-3.0.1

python39-numpy: before 1.19.4-3.0.1

python39-wheel-wheel: before 0.35.1-4

python39-wheel: before 0.35.1-4

python39-wcwidth: before 0.2.5-3

python39-toml: before 0.10.1-5

python39-six: before 1.15.0-3

python39-pysocks: before 1.7.1-4

python39-pyparsing: before 2.4.7-5

python39-pycparser: before 2.20-3

python39-py: before 1.10.0-1

python39-ply: before 3.11-10

python39-pluggy: before 0.13.1-3

python39-packaging: before 20.4-4

python39-more-itertools: before 8.5.0-2

python39-iniconfig: before 1.1.1-2

python39-chardet: before 3.0.4-19

python39-attrs: before 20.3.0-2

python39-PyMySQL: before 0.10.1-2

python39-pyyaml: before 5.4.1-1

python39-pybind11-devel: before 2.7.1-1

python39-pybind11: before 2.7.1-1

python39-psutil: before 5.8.0-4.0.1

python39-lxml: before 4.6.5-1

python39-cffi: before 1.14.3-2

python39-Cython: before 0.29.21-5

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2025:0618

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU113738

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-8194

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the “tarfile” module when handling tar archives with negative offsets. A remote attacker can pass a specially crafted tar archive to the application and consume all available system resources, resulting in a deadlock and a denial of service.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python39-setuptools-wheel: before 50.3.2-7

python39-setuptools: before 50.3.2-7

python39-rpm-macros: before 3.9.20-2.0.1

python39-tkinter: before 3.9.20-2.0.1

python39-test: before 3.9.20-2.0.1

python39-libs: before 3.9.20-2.0.1

python39-idle: before 3.9.20-2.0.1

python39-devel: before 3.9.20-2.0.1

python39-debug: before 3.9.20-2.0.1

python39: before 3.9.20-2.0.1

python39-pip-wheel: before 20.2.4-9

python39-pip: before 20.2.4-9

python39-idna: before 2.10-4

python39-psycopg2-tests: before 2.8.6-3.0.1

python39-psycopg2-doc: before 2.8.6-3.0.1

python39-psycopg2: before 2.8.6-3.0.1

python39-cryptography: before 3.3.1-3

python39-urllib3: before 1.25.10-5

python39-requests: before 2.25.0-3

python39-pytest: before 6.0.2-2.0.1

python39-scipy: before 1.5.4-5.0.1

python39-mod_wsgi: before 4.7.1-7

python39-numpy-doc: before 1.19.4-3.0.1

python39-numpy-f2py: before 1.19.4-3.0.1

python39-numpy: before 1.19.4-3.0.1

python39-wheel-wheel: before 0.35.1-4

python39-wheel: before 0.35.1-4

python39-wcwidth: before 0.2.5-3

python39-toml: before 0.10.1-5

python39-six: before 1.15.0-3

python39-pysocks: before 1.7.1-4

python39-pyparsing: before 2.4.7-5

python39-pycparser: before 2.20-3

python39-py: before 1.10.0-1

python39-ply: before 3.11-10

python39-pluggy: before 0.13.1-3

python39-packaging: before 20.4-4

python39-more-itertools: before 8.5.0-2

python39-iniconfig: before 1.1.1-2

python39-chardet: before 3.0.4-19

python39-attrs: before 20.3.0-2

python39-PyMySQL: before 0.10.1-2

python39-pyyaml: before 5.4.1-1

python39-pybind11-devel: before 2.7.1-1

python39-pybind11: before 2.7.1-1

python39-psutil: before 5.8.0-4.0.1

python39-lxml: before 4.6.5-1

python39-cffi: before 1.14.3-2

python39-Cython: before 0.29.21-5

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2025:0618

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.