An IT safety alert replace for a identified vulnerability has been issued for Python. You can learn how affected customers ought to behave right here.
Federal workplace for Security in Information Technology (BSI) issued an replace on May 20, 2024 for the safety hole identified on September 18, 2018. Python printed. The working programs Linux, UNIX and Windows in addition to the open supply merchandise Python, Debian Linux, Ubuntu Linux, SUSE Linux and F5 BIG-IP are affected by the safety vulnerability.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: F5 Security Advisory K000139691 (From 20 May 2024). Some helpful sources are listed later on this article.
Python Security Advisory – Risk: High
Risk degree: 4 (excessive)
CVSS Base Score: 9.4
CVSS provisional rating: 8,4
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of vulnerabilities in pc programs. The CVSS normal makes it potential to match potential or precise safety dangers based mostly on varied standards with a view to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. Temporary scores additionally take into consideration adjustments over time within the danger state of affairs. According to CVSS, the present vulnerability risk is taken into account “excessive” based mostly on 9.4 factors.
Python bug: Vulnerability permits arbitrary program code to be executed with service privileges
Python is a general-purpose, generally interpreted, high-level language.
A distant, unknown attacker may exploit a vulnerability in Python to execute arbitrary code with service permissions.
Vulnerabilities are recognized by a CVE (Common Vulnerabilities and Exposures) serial quantity. CVE-2018-1000802 on the market.
Systems affected by the Python safety vulnerability at a look
Operating programs
Linux, UNIX, Windows
Products
Open Source Python 2.7 (cpe:/a:python:python)
Debian Linux (cpe:/o:debian:debian_linux)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
SUSE Linux (cpe:/o:use:suse_linux)
F5 BIG-IP 17.1.0-17.1.1 (cpe:/a:f5:big-ip)
F5 BIG-IP 16.1.0-16.1.4 (cpe:/a:f5:big-ip)
F5 BIG-IP 15.1.0-15.1.10 (cpe:/a:f5:big-ip)
General steps for coping with IT vulnerabilities
- Users of affected programs ought to keep up-to-date. When safety holes are identified, producers are required to repair them rapidly by creating a patch or workaround. When new safety updates can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically incorporates extra details about the newest model of the software program in query and the supply of safety patches or efficiency suggestions.
- If you’ve any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to recurrently test if IT safety alert Affected producers present a brand new safety replace.
Sources for updates, patches and workarounds
Here one can find some hyperlinks with details about bug studies, safety fixes and workarounds.
F5 Security Advisory K000139691 vom 2024-05-20 (20.05.2024)
For extra info, see:
SUSE Security Update SUSE-SU-2020:0302-1 vom 2020-02-03 (03.02.2020)
For extra info, see:
SUSE Security Update SUSE-SU-2020:0234-1 vom 2020-01-25 (26.01.2020)
For extra info, see:
SUSE Security Update SUSE-SU-2020:0114-1 vom 2020-01-17 (16.01.2020)
For extra info, see:
SUSE Security Update SUSE-SU-2019:2053-2 vom 2019-08-17 (18.08.2019)
For extra info, see:
SUSE Security Update SUSE-SU-2019:2053-1 vom 2019-08-07 (06.08.2019)
For extra info, see:
SUSE Security Update SUSE-SU-2018:3554-2 vom 2018-12-10 (10.12.2018)
For extra info, see:
Ubuntu Security Notice USN-3817-2 vom 2018-11-15 (15.11.2018)
For extra info, see:
Ubuntu Security Notice USN-3817-1 vom 2018-11-14 (13.11.2018)
For extra info, see:
SUSE Security Update SUSE-SU-2018:3554-1 vom 2018-10-30 (29.10.2018)
For extra info, see:
SUSE Security Update SUSE-SU-2018:3002-1 vom 2018-10-04 (04.10.2018)
For extra info, see:
Debian Security Advisory DSA-4306 vom 2018-09-28 (27.09.2018)
For extra info, see:
NATIONAL RISK DATABASE vom 2018-09-18 (18.09.2018)
For extra info, see:
Version historical past of this safety alert
This is model 15 of this Python IT safety discover. If additional updates are introduced, this doc shall be up to date. You can see the adjustments made utilizing the model historical past beneath.
18.09.2018 – Original Release
09/18/2018 – Version not obtainable
23.09.2018 – Additional references
27.09.2018 – A brand new repair is obtainable
04.10.2018 – A brand new repair is obtainable
29.10.2018 – New repair obtainable
13.11.2018 – New repair obtainable
15.11.2018 – New repair obtainable
10.12.2018 – New repair obtainable
08/06/2019 – New updates from SUSE added
08/18/2019 – New updates from SUSE added
January 16, 2020 – New updates from SUSE added
01/26/2020 – New updates from SUSE added
02/03/2020 – New updates from SUSE added
05/20/2024 – New F5 updates added
+++ Editorial observe: This doc is predicated on present BSI information and shall be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here one can find scorching information, present movies and a direct line to the editorial staff.
kns/roj/information.de