There is a HIGH severity vulnerability affecting CPython.

Starting in Python 3.12.0, the
asyncio._SelectorSocketTransport.writelines() method would not "pause"
writing and signal to the Protocol to drain the buffer to the wire once the
write buffer reached the "high-water mark". Because of this, Protocols
would not periodically drain the write buffer potentially leading to memory
exhaustion.

This vulnerability likely impacts a small number of users, you must be
using Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these
factors are true then your usage of Python is unaffected.

Please see the linked CVE ID for the latest information on affected
versions:

* https://www.cve.org/CVERecord?id=CVE-2024-12254
* https://github.com/python/cpython/pull/127656
_______________________________________________
Security-announce mailing list -- security-annou...@python.org
To unsubscribe send an email to security-announce-le...@python.org
https://mail.python.org/mailman3/lists/security-announce.python.org/
Member address: arch...@mail-archive.com

Reply via email to