1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202409-12 ] pypy, pypy3: Multiple Vulnerabilit

    From glsamaker@gentoo.org@21:1/5 to All on Sun Sep 22 09:10:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202409-12
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: pypy, pypy3: Multiple Vulnerabilities
    Date: September 22, 2024
    Bugs: #741496, #741560, #774114, #782520
    ID: 202409-12

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple vulnerabilities have been discovered in pypy and pypy3, the
    worst of which could lead to arbitrary code execution.

    Background
    ==========

    A fast, compliant alternative implementation of the Python language.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ----------------------- ----------------- ------------------
    dev-python/pypy < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1 dev-python/pypy-exe < 7.3.2 >= 7.3.2
    dev-python/pypy-exe-bin < 7.3.2 Vulnerable!
    dev-python/pypy3 < 7.3.3_p37_p1-r1 >= 7.3.3_p37_p1-r1

    Description
    ===========

    Multiple vulnerabilities have been discovered in pypy. Please review the
    CVE identifiers referenced below for details.

    Impact
    ======

    Please review the referenced CVE identifiers for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All pypy users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1"
    # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2"
    # emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2"

    All pypy3 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1"

    References
    ==========

    [ 1 ] CVE-2020-27619
    https://nvd.nist.gov/vuln/detail/CVE-2020-27619

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202409-12

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmbvwEMACgkQFMQkOaVy +9k4qw/+Kg+cS3COb6uLEx6dzi0w3IyKrrjowbKxUoLO+dZmL+B9JV5bz/kHLZpc wcwRZqDyGF/ibDhGJtg7clrC230nfCvH242+Y/HTrFbcb5gwnYc7ILSQvNJKx9G7 h1+mzD5wK/ttA3HMXvkVTn4JtvA9njbDDzjs21BlPwV2KPgoUO4KuxVrj3nLK0I5 o2UO+4Xg1skkR0zmqYuV13Fa8Rf6YBUCC+M/GI66Bgq/MfLooOxFrBKOBXYND30P R+IMWdO7xpZ1+IITn5Sux+YAPO13u2m2mCy6lt9sRU98FAmse/c5MousBQvWv15w MNo8X1efVmfjXj6ReC4aBU6Xae8X2bhSUVYgba7DHM2Grdg0wL9EwHVlqYmtwx7s Nn9o+Pf/A5njyEkGOIo795LZlzDBidA1QD/ePIskNcv0emj9T81DUP16hA7NnK1a HAmaD6XLw43h50I/zfdn9IDO687HJ43pBSKl++YYGAQ5pFlYfeMN4pa6OwBYr1e6 F6ho4oopIu4w6fkctQzdrUp/ffliMFxe6+rc1RQnCP1QQFGgqF2QhBjq+axSSSn7 hIE0bN8NKZKvuG6b+bXj4G68klQTL1CUKytdYU75Z4uQiZ3TewQwOe7yu0iAd4XM HHw8sPkpso1WxJ5U0TFCRMI0fi4LvS3J9sxKsAJA5sR84YVwldY=
    =B2I/
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)