========================================================================== Ubuntu Security Notice USN-7348-2 March 24, 2025
python3.5, python3.8 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: USN-7348-1 introduced a regression in Python. Software Description: - python3.8: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language Details: USN-7348-1 fixed vulnerabilities in Python. The update introduced a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-4032) It was discovered that Python incorrectly handled quoting path names when using the venv module. A local attacker able to control virtual environments could possibly use this issue to execute arbitrary code when the virtual environment is activated. (CVE-2024-9287) It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2024-11168)It was discovered that Python incorrectly handled parsing domain names that
included square brackets. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS python3.8 3.8.10-0ubuntu1~20.04.18 python3.8-minimal 3.8.10-0ubuntu1~20.04.18 python3.8-venv 3.8.10-0ubuntu1~20.04.18 Ubuntu 16.04 LTS python3.5 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro python3.5-venv 3.5.2-2ubuntu0~16.04.13+esm18 Available with Ubuntu Pro Ubuntu 14.04 LTS python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro python3.5-venv 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7348-2 https://ubuntu.com/security/notices/USN-7348-1 CVE-2025-0938 Package Information: https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.18
OpenPGP_signature.asc
Description: OpenPGP digital signature
