Detections
Analytics

TencentOS Server 3: python39:3.9 (TSSA-2025:1001)

medium Nessus Plugin ID 284642

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:1001 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2024-5642:
 CPython 3.9 and earlier doesn't disallow configuring an empty list ([]) for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

 CVE-2024-9287:
 A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment activation scripts (ie source venv/bin/activate). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie ./venv/bin/python) are not affected.

 CVE-2024-11168:
 The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

 CVE-2025-0938:
 The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

 CVE-2025-4138:
 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.


 You are affected by this vulnerability if using the tarfilemodule to extract untrusted tar archives using TarFile.extractall()or TarFile.extract()using the filter=parameter with a value of dataor tar. See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information.

 Note that for Python 3.14 or later the default value of filter=changed from no filtering to data, so if you are relying on this new default behavior then your usage is also affected.

 Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

 CVE-2025-4330:
 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.


 You are affected by this vulnerability if using the tarfilemodule to extract untrusted tar archives using TarFile.extractall()or TarFile.extract()using the filter=parameter with a value of dataor tar. See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information.

 Note that for Python 3.14 or later the default value of filter=changed from no filtering to data, so if you are relying on this new default behavior then your usage is also affected.

 Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

 CVE-2025-4435:
 When using a TarFile.errorlevel = 0and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0in affected versions is that the member would still be extracted and not skipped.

 CVE-2025-4516:
 There is an issue in CPython when using bytes.decode(unicode_escape, error=ignore|replace). If you are not using the unicode_escape encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

 CVE-2025-4517:
 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=data.


 You are affected by this vulnerability if using the tarfilemodule to extract untrusted tar archives using TarFile.extractall()or TarFile.extract()using the filter=parameter with a value of dataor tar. See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information.

 Note that for Python 3.14 or later the default value of filter=changed from no filtering to data, so if you are relying on this new default behavior then your usage is also affected.

 Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

 CVE-2025-6069:
 The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

 CVE-2025-6075:
 If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

 CVE-2025-8291:
 The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.


 Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20251001.xml

Plugin Details

Severity: Medium

ID: 284642

File Name: tencentos_TSSA_2025_1001.nasl

Version: 1.1

Type: local

Published: 1/14/2026

Updated: 1/14/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-9287

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

CVSS Score Source: CVE-2025-0938

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:python-psycopg2, p-cpe:/a:tencent:tencentos_server:pyyaml, p-cpe:/a:tencent:tencentos_server:python-pysocks, p-cpe:/a:tencent:tencentos_server:python-pluggy, p-cpe:/a:tencent:tencentos_server:python-lxml, p-cpe:/a:tencent:tencentos_server:python-wheel, p-cpe:/a:tencent:tencentos_server:pytest, p-cpe:/a:tencent:tencentos_server:python3x-setuptools, p-cpe:/a:tencent:tencentos_server:python-chardet, p-cpe:/a:tencent:tencentos_server:mod_wsgi, p-cpe:/a:tencent:tencentos_server:python-psutil, p-cpe:/a:tencent:tencentos_server:python-wcwidth, p-cpe:/a:tencent:tencentos_server:python-ply, p-cpe:/a:tencent:tencentos_server:python-cffi, p-cpe:/a:tencent:tencentos_server:python-py, p-cpe:/a:tencent:tencentos_server:scipy, p-cpe:/a:tencent:tencentos_server:pybind11, p-cpe:/a:tencent:tencentos_server:python-packaging, p-cpe:/a:tencent:tencentos_server:python-pymysql, p-cpe:/a:tencent:tencentos_server:cython, p-cpe:/a:tencent:tencentos_server:python-urllib3, p-cpe:/a:tencent:tencentos_server:python-cryptography, p-cpe:/a:tencent:tencentos_server:python39, p-cpe:/a:tencent:tencentos_server:python-toml, p-cpe:/a:tencent:tencentos_server:python-pycparser, p-cpe:/a:tencent:tencentos_server:python3x-pyparsing, p-cpe:/a:tencent:tencentos_server:numpy, p-cpe:/a:tencent:tencentos_server:python-iniconfig, cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:python3x-pip, p-cpe:/a:tencent:tencentos_server:python3x-six, p-cpe:/a:tencent:tencentos_server:python-requests, p-cpe:/a:tencent:tencentos_server:python-idna, p-cpe:/a:tencent:tencentos_server:python-attrs, p-cpe:/a:tencent:tencentos_server:python-more-itertools

Required KB Items: Host/local_checks_enabled, Host/etc/os-release, Host/TencentOS/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2025

Vulnerability Publication Date: 6/27/2024

Reference Information

CVE: CVE-2024-11168, CVE-2024-5642, CVE-2024-9287, CVE-2025-0938, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4516, CVE-2025-4517, CVE-2025-6069, CVE-2025-6075, CVE-2025-8291

IAVA: 2024-A-0748-S, 2025-A-0444