1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202506-07 ] Python, PyPy: Multiple Vulnerabili

    From glsamaker@gentoo.org@21:1/5 to All on Thu Jun 12 11:00:01 2025
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202506-07
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Python, PyPy: Multiple Vulnerabilities
    Date: June 12, 2025
    Bugs: #929045, #937124, #938432, #939206, #945845, #953493, #956682, #957088
    ID: 202506-07

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple vulberabilities have been discovered in Python and PyPy, the
    worst of which can lead to privilege escalation.

    Background
    ==========

    Python is an interpreted, interactive, object-oriented, cross-platform programming language.

    Affected packages
    =================

    Package Vulnerable Unaffected
    --------------- --------------------- ----------------------
    dev-lang/pypy < 3.10.7.3.19_p4:3.10 >= 3.10.7.3.19_p4:3.10
    < 3.11.7.3.19_p9:3.11 >= 3.11.7.3.19_p9:3.11
    dev-lang/python < 3.10.17_p1:3.10 >= 3.10.17_p1:3.10
    < 3.11.12_p1:3.11 >= 3.11.12_p1:3.11
    < 3.12.10_p1:3.12 >= 3.12.10_p1:3.12
    < 3.13.3_p1:3.13 >= 3.13.3_p1:3.13
    < 3.14.0_beta2:3.14 >= 3.14.0_beta2:3.14
    < 3.8.20_p7:3.8 >= 3.8.20_p7:3.8
    < 3.9.22_p1:3.9 >= 3.9.22_p1:3.9

    Description
    ===========

    Multiple vulnerabilities have been discovered in Python, PyPy3. Please
    review the CVE identifiers referenced below for details.

    Impact
    ======

    Please review the referenced CVE identifiers for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Python, PyPy3 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.14.0_beta2:3.14"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.13.3_p1:3.13"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.12.10_p1:3.12"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.11.12_p1:3.11"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.10.17_p1:3.10"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.9.22_p1:3.9"
    # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.20_p7:3.8"
    # emerge --ask --oneshot --verbose ">=dev-lang/pypy-3.10.7.3.19_p4:3.10"
    # emerge --ask --oneshot --verbose ">=dev-lang/pypy-3.11.7.3.19_p9:3.11"

    References
    ==========

    [ 1 ] CVE-2024-6232
    https://nvd.nist.gov/vuln/detail/CVE-2024-6232
    [ 2 ] CVE-2024-6923
    https://nvd.nist.gov/vuln/detail/CVE-2024-6923
    [ 3 ] CVE-2024-7592
    https://nvd.nist.gov/vuln/detail/CVE-2024-7592
    [ 4 ] CVE-2024-8088
    https://nvd.nist.gov/vuln/detail/CVE-2024-8088
    [ 5 ] CVE-2024-12718
    https://nvd.nist.gov/vuln/detail/CVE-2024-12718
    [ 6 ] CVE-2025-4138
    https://nvd.nist.gov/vuln/detail/CVE-2025-4138
    [ 7 ] CVE-2025-4330
    https://nvd.nist.gov/vuln/detail/CVE-2025-4330
    [ 8 ] CVE-2025-4516
    https://nvd.nist.gov/vuln/detail/CVE-2025-4516
    [ 9 ] CVE-2025-4517
    https://nvd.nist.gov/vuln/detail/CVE-2025-4517

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202506-07

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2025 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmhKlYcACgkQFMQkOaVy +9kk+w/9F2LrB8Khc/GEyYeF7IAzHzXz5mSvlhC6EZo1ORUFuHBdAtm+qXm9KVBi 2bvMFfEqXIIEGZnVCT9RvTQXkrd8ehQXKNDjC2/RWNuSfSa0S6YEPBPMHMMgo9jX GTww9rWcyJ6iRCF1xZT00jTqmHVlHNAhc7CKMd2Y+WSVp1HEe8wiaZ7jwZBB5r9e 6JEGkyeF9VpDEF8+aeMZQlVcGmvoasRxdnERxmMiRcetujr0R9T2GE8bf0bKikr0 8Gmo7m8w4nbOz0/RRFDjRx/z7vIrf1XohMOuW1B4OCTFE/ELfKOCPCy6ZXskcMUe 0A7Te4WXXr7Qdo2WIk8ogkSR8zfQxPsYK10M6lvNYMPbl/Oy2hQR207dYZVhmpbp w8z4RsK9yTgTPENDKSqqNhxbU14K9VfJG5QJBv200Y06lS8Shu+jUoMx1/le60x0 mgWeus1JiZPiXtqqJ5gF1nDMC+jgrnmqYc30qWgP7oZczBK9UPXFggm5SBXlh49o akzWK0X9YH0Fn8LJSwpFQP4KDMX9oPN6Eglty7hJuO2EM5IDiAiNBRUT560UrDEP Si902/JEm8ROdDKw/XqhyGKesrxEkrkoQr5gt/El8igkVjJbtLJSrB0Bo6kEDxJV TFHmsdlf4c9vzkrRyu2+UdlLEQg+jOatqlfFibSKO4b4vhj5ggI=
    =+oPS
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)