Source: python3.13
Version: 3.13.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/python/cpython/issues/127655
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:python3.12 3.12.8-1
Control: retitle -2 python3.12: CVE-2024-12254
Hi,
The following vulnerability was published for python3.{12,13}.
CVE-2024-12254[0]:
| Starting in Python 3.12.0, the
| asyncio._SelectorSocketTransport.writelines() method would not
| "pause" writing and signal to the Protocol to drain the buffer to
| the wire once the write buffer reached the "high-water mark".
| Because of this, Protocols would not periodically drain the write
| buffer potentially leading to memory exhaustion. This
| vulnerability likely impacts a small number of users, you must be
| using Python 3.12.0 or later, on macOS or Linux, using the asyncio
| module with protocols, and using .writelines() method which had new
| zero-copy-on-write behavior in Python 3.12.0 and later. If not all
| of these factors are true then your usage of Python is unaffected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-12254
https://www.cve.org/CVERecord?id=CVE-2024-12254
[1] https://github.com/python/cpython/issues/127655
[2] https://github.com/python/cpython/pull/127656
Regards,
Salvatore