Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  Python2/3 Vulnerabilities

    Posted Thu November 02, 2023 03:26 PM

    Hi guys, in a recent vulnerability scan the following vulnerabilities were found.
    Could you help me with the questions on each vulnerability to determine the best course of action.

    • CVE-2023-38325 - CVSS 7.5 - High severity
      The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
      Is there a plan to deliver a version 41.0.2 or newer in the near future?
      https://www.cve.org/CVERecord?id=CVE-2023-38325
    • CVE-2019-14859 - CVSS 9.1 - CRITICAL
      Is there a plan to support updates for python2 package ecdsa? (required version python-ecdsa-0.13.3).
      https://www.cve.org/CVERecord?id=CVE-2019-14859

    • CVE-2022-48564 - CVSS 6.5 - Medium
      Do you know if this vulnerability is present on the latest python 3 on toolbox (3.9.18)?
      I was not able to find accurate information.
      https://www.cve.org/CVERecord?id=CVE-2022-48564


    ------------------------------
    LUIS ABDEL AGUILAR JURADO
    ------------------------------

    #AIXOpenSource


  • 2.  RE: Python2/3 Vulnerabilities

    Posted Fri November 03, 2023 04:19 AM

    1) CVE-2023-38325 affects cryptography versions >=40.0.0. Toolbox version is 3.4.7. So it's not affected. 

    2) Toolbox don't have python-ecdsa package. It should be from a different source. check "rpm -qi" output if it is through rpm. 

    3) CVE-2022-48564 is already addressed in 3.9.1 version long back. https://docs.python.org/release/3.9.18/whatsnew/changelog.html#id103 (    bpo-42103)



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


Related Content