Detections
Analytics

TencentOS Server 3: python3.12 (TSSA-2024:1116)

high Nessus Plugin ID 238738

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1116 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2024-9287:
 A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment activation scripts (ie source venv/bin/activate). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie ./venv/bin/python) are not affected.

 CVE-2024-12254:
 Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not pause writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the high-water mark. Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion.





 This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20241116.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9287

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12254

Plugin Details

Severity: High

ID: 238738

File Name: tencentos_TSSA_2024_1116.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:python3.12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/12/2024

Vulnerability Publication Date: 12/12/2024