INFSA-2024:10779: python3:3.6.8 security update
Information about definition
Identificator: INFSA-2024:10779
Type: security
Release date: 2025-06-26 17:56:16 UTC
Information about package
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Vulnerabilities description
- CVE-2024-9287
A vulnerability has been found in the Python venv module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated.
- CVE-2024-11168
A flaw was found in Python. The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-11168
|
no information | 3.7 | no information |
|
NIST — CVE-2024-9287
|
no information | 6.3 | no information |
Updated packages