Subj : Python announces first security releases since becoming a CNA
To   : All
From : LWN.net
Date : Wed Mar 20 2024 16:45:05

Python announces first security releases since becoming a CNA

Date:
Wed, 20 Mar 2024 16:42:32 +0000

Description:
The Python project has announced three security releases, 3.10.14 , 3.9.19 ,
and 3.8.19 .
In addition to the security fixes, these releases are notable for two reasons;
they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts " on a local computer of one
of the release managers ", and the first since Python became a
CVE Numbering Authority (CNA). Python release team member ukasz Langa said
that being a CNA means Python is able to " ensure the quality of the 
vulnerability
reports is high, and that the severity estimates are accurate. " It also
allows Python to coordinate CVE announcements with the patched versions of
Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 
describes a flaw in CPython's zipfile module that made it vulnerable to a 
zip-bomb exploit. CVE-2024-0450 is an
issue with Python's tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links. 
Users of affected versions should upgrade soon.

======================================================================
Link to news story:
https://lwn.net/Articles/966056/


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)

.