USN-6513-2

It was discovered that Python incorrectly handled certain plist files. If a user or an automated system were tricked into processing a specially crafted plist file, an attacker could possibly use this issue to consume resources, resulting in a denial of service. (CVE-2022-48564)

It was discovered that Python instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake. An attacker could possibly use this issue to cause applications to treat unauthenticated received data before TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217)

References

Affected packages

Ubuntu:20.04:LTS / python3.8

Package

Name: python3.8
Purl: pkg:deb/ubuntu/python3.8@3.8.10-0ubuntu1~20.04.9?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.10-0ubuntu1~20.04.9

Affected versions

3.*

3.8.0-1

3.8.0-2

3.8.0-3

3.8.0-4

3.8.0-5

3.8.1-2ubuntu3

3.8.2~rc1-1ubuntu1

3.8.2-1

3.8.2-1ubuntu1

3.8.2-1ubuntu1.1

3.8.2-1ubuntu1.2

3.8.5-1~20.04

3.8.5-1~20.04.2

3.8.5-1~20.04.3

3.8.10-0ubuntu1~20.04

3.8.10-0ubuntu1~20.04.1

3.8.10-0ubuntu1~20.04.2

3.8.10-0ubuntu1~20.04.4

3.8.10-0ubuntu1~20.04.5

3.8.10-0ubuntu1~20.04.6

3.8.10-0ubuntu1~20.04.7

3.8.10-0ubuntu1~20.04.8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "idle-python3.8",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "libpython3.8",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "libpython3.8-dev",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "libpython3.8-minimal",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "libpython3.8-stdlib",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "libpython3.8-testsuite",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8-dev",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8-examples",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8-full",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8-minimal",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        },
        {
            "binary_name": "python3.8-venv",
            "binary_version": "3.8.10-0ubuntu1~20.04.9"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:20.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-40217",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:22.04:LTS / python3.10

Package

Name: python3.10
Purl: pkg:deb/ubuntu/python3.10@3.10.12-1~22.04.3?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.12-1~22.04.3

Affected versions

3.*

3.10.0-2

3.10.0-3

3.10.0-4

3.10.0-5

3.10.0-5build1

3.10.1-1

3.10.1-2

3.10.2-1

3.10.2-5

3.10.2-7

3.10.3-1

3.10.4-3

3.10.4-3ubuntu0.1

3.10.6-1~22.04

3.10.6-1~22.04.1

3.10.6-1~22.04.2

3.10.6-1~22.04.2ubuntu1

3.10.6-1~22.04.2ubuntu1.1

3.10.12-1~22.04.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "idle-python3.10",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "libpython3.10",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "libpython3.10-dev",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "libpython3.10-minimal",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "libpython3.10-stdlib",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "libpython3.10-testsuite",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-dev",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-examples",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-full",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-minimal",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-nopie",
            "binary_version": "3.10.12-1~22.04.3"
        },
        {
            "binary_name": "python3.10-venv",
            "binary_version": "3.10.12-1~22.04.3"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:22.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-40217",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}