Vulnerabilities

To allow builds of Python to be run from an in-tree layout (rather than<br /> an installed file layout), the VPATH variable is defined at build time<br /> and used to locate certain landmarks - specifically,<br /> Modules/setup.local. When this landmark is found relative to VPATH<br /> relative to the executable, Python assumes it is running in a source<br /> tree and generates a different default sys.path. This code remains in<br /> release builds, so that release-ready builds can be built in-tree.<br /> <br /> On Windows, since builds are written to &amp;#39;PCbuild/&amp;#39;, the value of<br /> VPATH is set to &amp;#39;..\..&amp;#39;, which results in a landmark of<br /> &amp;#39;..\..\Modules\setup.local&amp;#39;. This path is outside the install directory<br /> of Python, and may have different permissions, potentially allowing a<br /> low-privilege user to create the landmark and an alternative `Lib`<br /> folder that will be discovered by an otherwise restricted install.<br /> <br /> Such a setup occurs with the legacy default install location for all<br /> users (in the now superseded EXE installer), due to how Windows allows<br /> all users to create folders in the root directory of their OS drive.<br /> <br /> Our recommended mitigation on Windows is to migrate away from the<br /> legacy installer and use the new [Python install<br /> manager](https://www.python.org/downloads/latest/pymanager/) to install<br /> for the current user. Installs where the directory two levels above the<br /> Python installation directory have equivalent permissions are unaffected<br /> (in general, a per-user install cannot be modified at all by other<br /> users, removing any escalation of privilege risk, and could be directly<br /> modified by a privileged user, making the potential tampering<br /> irrelevant). Alternative mitigations might include preemptively creating<br /> and restricting access to a `Modules` directory. Be aware that only 3.13<br /> and 3.14 will receive updated legacy installers - earlier fixes are only<br /> provided as sources.<br /> <br /> Platforms other than Windows allow VPATH to be overridden, but as they<br /> don&amp;#39;t usually use a separated directory in the build for binaries, are<br /> unlikely to have a landmark reference outside of the install directory.<br /> <br /> The landmark detection involving VPATH is a fallback for when a more<br /> specific landmark - .\pybuilddir.txt - is absent, and was included for<br /> compatibility. Future releases of Python will no longer include the<br /> fallback, and so builds will need to generate or preserve the<br /> pybuilddir.txt file in order to work in-tree. This landmark file has<br /> been generated on Windows since 3.11, and on other platforms for longer.

An attacker with network-level access between the SUSE Virtualization <br /> and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it <br /> to bypass TLS as a security control.

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. A remote authenticated user could potentially exploit this vulnerability to escalate privileges. The malicious user may gain the ability to run arbitrary code remotely. This is a high severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.

PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser.

api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions.

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution.

A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller&amp;#39;s web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service.

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of `a2ab6d4`. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning — synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.