Bug#1089236: marked as done (python3.12: CVE-2024-12254)

Debian Bug Tracking System Thu, 12 Dec 2024 07:21:23 -0800

Your message dated Thu, 12 Dec 2024 16:18:04 +0100
with message-id <[email protected]>
and subject line Re: Accepted python3.12 3.12.8-2 (source) into unstable
has caused the Debian Bug report #1089236,
regarding python3.12: CVE-2024-12254
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1089236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089236
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: python3.13
Version: 3.13.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/python/cpython/issues/127655
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:python3.12 3.12.8-1
Control: retitle -2 python3.12: CVE-2024-12254

Hi,

The following vulnerability was published for python3.{12,13}.

CVE-2024-12254[0]:
| Starting in Python 3.12.0, the
| asyncio._SelectorSocketTransport.writelines()  method would not
| "pause" writing and signal to the Protocol to drain  the buffer to
| the wire once the write buffer reached the "high-water  mark".
| Because of this, Protocols would not periodically drain the write
| buffer potentially leading to memory exhaustion.      This
| vulnerability likely impacts a small number of users, you must be
| using  Python 3.12.0 or later, on macOS or Linux, using the asyncio
| module  with protocols, and using .writelines() method which had new
| zero-copy-on-write behavior in Python 3.12.0 and later. If not all
| of  these factors are true then your usage of Python is unaffected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-12254
    https://www.cve.org/CVERecord?id=CVE-2024-12254
[1] https://github.com/python/cpython/issues/127655
[2] https://github.com/python/cpython/pull/127656

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: python3.12
Source-Version: 3.12.8-2

On Thu, Dec 12, 2024 at 10:49:45AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Thu, 12 Dec 2024 11:32:36 +0100
> Source: python3.12
> Architecture: source
> Version: 3.12.8-2
> Distribution: unstable
> Urgency: medium
> Maintainer: Matthias Klose <[email protected]>
> Changed-By: Matthias Klose <[email protected]>
> Changes:
>  python3.12 (3.12.8-2) unstable; urgency=medium
>  .
>    * Update to the 3.12 branch 2024-12-12.
>      - Fix issue #127655, CVE-2024-12254.
>    * Add support for OpenSSL 3.4, issue #127330.
> Checksums-Sha1:
>  6743089eaafe00ab707ebdb024e21bc30ea55b43 4252 python3.12_3.12.8-2.dsc
>  c54a35b6648a28e53420f75571794d824d43c503 270224 
> python3.12_3.12.8-2.debian.tar.xz
>  b18e0a575d921e29acee251571546dbb366fb41f 10676 
> python3.12_3.12.8-2_source.buildinfo
> Checksums-Sha256:
>  0f941dc9acdda2ff4a3fc6904fb8cc4946702cc12d3941e650976641f27ca4ab 4252 
> python3.12_3.12.8-2.dsc
>  499eb61fc152a78e1350e7257869cadaf34ef72c09d4dc89089aa97fc3179910 270224 
> python3.12_3.12.8-2.debian.tar.xz
>  437d85d3878bd4b4933ecfe23dae3151e0e698e5514b17acc265ae19a353a742 10676 
> python3.12_3.12.8-2_source.buildinfo
> Files:
>  2588b0e525d9f9948635e91cca5cce3e 4252 python optional python3.12_3.12.8-2.dsc
>  11c353af32db9d5832a6daffb0913f5f 270224 python optional 
> python3.12_3.12.8-2.debian.tar.xz
>  4a738c1e968c2907252c2bfa01c1d746 10676 python optional 
> python3.12_3.12.8-2_source.buildinfo
> -----BEGIN PGP SIGNATURE-----
> 
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmdavAUQHGRva29AZGVi
> aWFuLm9yZwAKCRC9fqpgd4+m9Zr7EACslb3g3qP+f0BRNDIoXu3KIu9wl/OoI6WZ
> hRX2pNbfzn/X4+imjVSPYzGMClBwcVq4p88tgtuFApoIjpjs9MHB2kb2m6kf0p7i
> X/4xoLcx/TQTS7x8jJkEt9/IHyjQGVAtlug3GriZlBmutNxZ9b0lXGPNiEYH0Lrz
> H0GQxOG6vMDSxQ5r3ciSvPohCoeAqnTWa8OO3d5RiAuRaqWMRrB5vbit3a3Ym8hm
> 64VdlmnyEYQqCe8iU9bOFBp0AyvyN+g9SLojW1un5mwiwU1wzfWhgaUhmM8hi4uI
> KxIo1k5Al5m481u5yv5vGj0ycmmzKSB0USmUexzgF5kSfaDwRlNV6qRnjOgkOnJJ
> vGTy69v3PAz7FJ859onHh6zdxAfg5Rn63SEyKubcy+ehfWWvvD+8Rfo8rE+xbDp+
> HceFreAe9BUvUCp5jd4QHWmlEj1cwAaAQwMzmJdoCHuSbYtNqvzN2v82pZ3G5y2x
> nyD7lXH1zRvUHz4mOSoU9yknH+FdvY2NvPytEWFq+QnEan/lA1il8a+fukhbNMFP
> jd7GqmFRP5+qPiMK0YDJBbNp+LQJKsAU8HYIcSEX+VwXxLwIEDpqBaplvgkcNEhg
> id4LJl+kNTA2AvQCWZLX9JAls75uEfemugzyLnb26XJ56cjrDyNMsAD3HuaLyz3G
> 0PkzICLIRQ==
> =S1lg
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1089236: marked as done (python3.12: CVE-2024-12254)

Reply via email to