Cloud Foundry Logo
blog single gear
Blog
Security Advisory

USN-6513-2: Python vulnerability

by: March 18, 2024

USN-6513-2: Python vulnerability

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 22.04

Description

USN-6513-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. Original advisory details: It was discovered that Python incorrectly handled certain plist files. If a user or an automated system were tricked into processing a specially crafted plist file, an attacker could possibly use this issue to consume resources, resulting in a denial of service. (CVE-2022-48564) It was discovered that Python instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake. An attacker could possibly use this issue to cause applications to treat unauthenticated received data before TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217) Update Instructions: Run `sudo pro fix USN-6513-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3.8-minimal – 3.8.10-0ubuntu1~20.04.9 python3.8-full – 3.8.10-0ubuntu1~20.04.9 libpython3.8-minimal – 3.8.10-0ubuntu1~20.04.9 python3.8-examples – 3.8.10-0ubuntu1~20.04.9 python3.8-dev – 3.8.10-0ubuntu1~20.04.9 libpython3.8-dev – 3.8.10-0ubuntu1~20.04.9 python3.8-venv – 3.8.10-0ubuntu1~20.04.9 libpython3.8 – 3.8.10-0ubuntu1~20.04.9 idle-python3.8 – 3.8.10-0ubuntu1~20.04.9 libpython3.8-testsuite – 3.8.10-0ubuntu1~20.04.9 libpython3.8-stdlib – 3.8.10-0ubuntu1~20.04.9 python3.8 – 3.8.10-0ubuntu1~20.04.9 python3.8-doc – 3.8.10-0ubuntu1~20.04.9 No subscription required

CVEs contained in this USN include: CVE-2023-40217.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • cflinuxfs4
    • All versions prior to 1.55.0
  • Jammy Stemcells
    • 1.x versions prior to 1.318
    • All other stemcells not listed.
  • CF Deployment
    • All versions with Jammy Stemcells prior to 1.318

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

  • cflinuxfs4
    • Upgrade all versions to 1.55.0 or greater
  • Jammy Stemcells
    • Upgrade 1.x versions to 1.318 or greater
    • All other stemcells should be upgraded to the latest version available on bosh.io.
  • CF Deployment
    • For all versions, upgrade Jammy Stemcells to 1.318 or greater

History

2024-03-18: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-6755-1: GNU cpio vulnerabilities
Security Advisory

USN-6755-1: GNU cpio vulnerabilities

by Cloud Foundry Foundation Security Team July 25, 2024
USN-3522-4: Linux kernel (Xenial HWE) regression
Security Advisory

USN-3522-4: Linux kernel (Xenial HWE) regression

by Cloud Foundry Foundation Security Team January 11, 2018
CVE-2016-4435 BOSH Agent Anonymous Endpoint
Security Advisory

CVE-2016-4435 BOSH Agent Anonymous Endpoint

by Cloud Foundry Foundation Security Team June 13, 2016
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept