Santiago R.R. pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1d6373cd by Santiago Ruano Rincón at 2024-12-14T15:43:29-03:00
Clarify the status of CVE-2022-42919 in python3.7 and pypy3
As described in the notes, CVE-2022-42919 is present in python3.7, but
it is difficult to exploit. So <ignored> is more accurate and safer than
<not-affected>. Similar classification can be done to pypy3 for bullseye
and buster.
This change also includes the related pypy3 commit, than introduced and
fixed the issue.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -179712,15 +179712,17 @@ CVE-2022-42919 (Python 3.9.x before 3.9.16 and
3.10.x before 3.10.9 on Linux all
- python3.10 3.10.8-2
- python3.9 <removed>
- python3.7 <removed>
- [buster] - python3.7 <not-affected> (Vulnerable functionality
backported later in 3.7.8)
+ [buster] - python3.7 <ignored> (The issue is complex to trigger before
3.7.8)
- python2.7 <not-affected> (Vulnerable code introduced later)
- pypy3 7.3.11+dfsg-1
- [bullseye] - pypy3 <not-affected> (Vulnerable functionality ported from
cpython later in 7.3.8)
- [buster] - pypy3 <not-affected> (Vulnerable code introduced later)
+ [bullseye] - pypy3 <ignored> (The issue is complex to trigger before
7.3.8)
+ [buster] - pypy3 <ignored> (The issue is complex to trigger before
7.3.8)
NOTE: https://github.com/python/cpython/issues/97514
NOTE:
https://github.com/python/cpython/commit/4686d77a04570a663164c03193d9def23c89b122
(3.11-branch)
NOTE:
https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2
(3.10-branch)
NOTE:
https://github.com/python/cpython/commit/b43496c01a554cf41ae654a0379efae18609ad39
(3.9-branch)
+ NOTE: Introduced in pypy3 by:
https://github.com/pypy/pypy/commit/0a83d30478b34c4efd9486dbf6ae8bdf9807f136
(release-pypy3.9-v7.3.8rc1)
+ NOTE: Fixed in pypy3 by:
https://github.com/pypy/pypy/commit/f2618dff16cc9ac06413633533b60b4f0a02aa0d
(release-pypy3.9-v7.3.10rc1)
NOTE: The patch for 3.9 and later only removes the default preference
for abstract sockets which
NOTE: prevents CVE-2022-42919. Versions 3.8.4 and 3.7.8 are not
vulnerable by default (but issue present)
NOTE: though users would need to make specific uncommon multiprocessing
API calls specifying their own
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6373cd8c66ff33de49abecd599b60936389bd3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d6373cd8c66ff33de49abecd599b60936389bd3
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
