========================================================================== Ubuntu Security Notice USN-7488-1 May 06, 2025
python vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Python. Software Description: - python3.13: An interactive high-level object-oriented language - python2.7: An interactive high-level object-oriented language - python3.11: An interactive high-level object-oriented language - python3.9: An interactive high-level object-oriented language - python3.6: An interactive high-level object-oriented language - python3.7: An interactive high-level object-oriented language - python3.8: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Details: It was discovered that Python incorrectly handled parsing bracketed hosts. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery (SSRF) attack. This issue only affected python 2.7 and python3.4 on Ubuntu 14.04 LTS; python2.7 on Ubuntu 16.04 LTS; python2.7, python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS; python2.7 and python3.9 on Ubuntu 20.04 LTS; and python2.7 and python3.11 on Ubuntu 22.04 LTS. (CVE-2024-11168) It was discovered that Python allowed excessive backtracking while parsing certain tarfile headers. A remote attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service. This issue only affected python3.4 on Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; and python3.11 on Ubuntu 22.04 LTS. (CVE-2024-6232) It was discovered that Python incorrectly handled quoted path names when using the venv module. A local attacker able to control virtual environments could possibly use this issue to execute arbitrary code when the virtual environment is activated. This issue only affected python3.4 on Ubuntu 14.04 LTS; python3.6, python3.7, and python3.8 on Ubuntu 18.04 LTS; python3.9 on Ubuntu 20.04 LTS; python3.11 on Ubuntu 22.04 LTS; and python3.13 on Ubuntu 24.10. (CVE-2024-9287) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 python3.13 3.13.0-1ubuntu0.1 python3.13-minimal 3.13.0-1ubuntu0.1 python3.13-venv 3.13.0-1ubuntu0.1 Ubuntu 22.04 LTS python2.7 2.7.18-13ubuntu1.5+esm5 Available with Ubuntu Pro python2.7-minimal 2.7.18-13ubuntu1.5+esm5 Available with Ubuntu Pro python3.11 3.11.0~rc1-1~22.04.1~esm2 Available with Ubuntu Pro python3.11-minimal 3.11.0~rc1-1~22.04.1~esm2 Available with Ubuntu Pro python3.11-venv 3.11.0~rc1-1~22.04.1~esm2 Available with Ubuntu Pro Ubuntu 20.04 LTS python2.7 2.7.18-1~20.04.7+esm6 Available with Ubuntu Pro python2.7-minimal 2.7.18-1~20.04.7+esm6 Available with Ubuntu Pro python3.9 3.9.5-3ubuntu0~20.04.1+esm3 Available with Ubuntu Pro python3.9-minimal 3.9.5-3ubuntu0~20.04.1+esm3 Available with Ubuntu Pro python3.9-venv 3.9.5-3ubuntu0~20.04.1+esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS python2.7 2.7.17-1~18.04ubuntu1.13+esm10 Available with Ubuntu Pro python2.7-minimal 2.7.17-1~18.04ubuntu1.13+esm10 Available with Ubuntu Pro python3.6 3.6.9-1~18.04ubuntu1.13+esm3 Available with Ubuntu Pro python3.6-minimal 3.6.9-1~18.04ubuntu1.13+esm3 Available with Ubuntu Pro python3.6-venv 3.6.9-1~18.04ubuntu1.13+esm3 Available with Ubuntu Pro python3.7 3.7.5-2ubuntu1~18.04.2+esm4 Available with Ubuntu Pro python3.7-minimal 3.7.5-2ubuntu1~18.04.2+esm4 Available with Ubuntu Pro python3.7-venv 3.7.5-2ubuntu1~18.04.2+esm4 Available with Ubuntu Pro python3.8 3.8.0-3ubuntu1~18.04.2+esm3 Available with Ubuntu Pro python3.8-minimal 3.8.0-3ubuntu1~18.04.2+esm3 Available with Ubuntu Pro python3.8-venv 3.8.0-3ubuntu1~18.04.2+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS python2.7 2.7.12-1ubuntu0~16.04.18+esm15 Available with Ubuntu Pro python2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm15 Available with Ubuntu Pro Ubuntu 14.04 LTS python2.7 2.7.6-8ubuntu0.6+esm24 Available with Ubuntu Pro python2.7-minimal 2.7.6-8ubuntu0.6+esm24 Available with Ubuntu Pro python3.4 3.4.3-1ubuntu1~14.04.7+esm14 Available with Ubuntu Pro python3.4-minimal 3.4.3-1ubuntu1~14.04.7+esm14 Available with Ubuntu Pro python3.4-venv 3.4.3-1ubuntu1~14.04.7+esm14 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7488-1 CVE-2024-11168, CVE-2024-6232, CVE-2024-9287 Package Information: https://launchpad.net/ubuntu/+source/python3.13/3.13.0-1ubuntu0.1
OpenPGP_signature.asc
Description: OpenPGP digital signature
