HCE2-SA-2024-0178 Important HCE 2.0 Security Fix(es): An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. (CVE-2023-6597) In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 (CVE-2015-20107) An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450) HCE 2.0 python3-3.9.9-7.r26.hce2.aarch64.rpm python3-devel-3.9.9-7.r26.hce2.aarch64.rpm python3-help-3.9.9-7.r26.hce2.noarch.rpm python3-unversioned-command-3.9.9-7.r26.hce2.aarch64.rpm python3-3.9.9-7.r26.hce2.x86_64.rpm python3-devel-3.9.9-7.r26.hce2.x86_64.rpm python3-help-3.9.9-7.r26.hce2.noarch.rpm python3-unversioned-command-3.9.9-7.r26.hce2.x86_64.rpm