ALAS2023-2024-757

Amazon Linux 2023 Security Advisory: ALAS2023-2024-757
Advisory Released Date: 2024-11-14
Advisory Updated Date: 2024-11-14
Severity: Important
Issue Overview:

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. (CVE-2024-6232)


Affected Packages:

python3.11


Issue Correction:
Run dnf update python3.11 --releasever 2023.6.20241111 to update your system.

New Packages:
aarch64:
    python3.11-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-devel-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-tkinter-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-debug-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-idle-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-debugsource-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-debuginfo-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-libs-3.11.6-1.amzn2023.0.4.aarch64
    python3.11-test-3.11.6-1.amzn2023.0.4.aarch64

src:
    python3.11-3.11.6-1.amzn2023.0.4.src

x86_64:
    python3.11-devel-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-tkinter-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-idle-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-debugsource-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-debug-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-debuginfo-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-libs-3.11.6-1.amzn2023.0.4.x86_64
    python3.11-test-3.11.6-1.amzn2023.0.4.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-6232

Mitre: CVE-2024-6232