发布时间: 2024年12月7日
修改时间: 2025年1月4日
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 8.7 | 8.7 |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | ||
| Confidentiality | ||
| Integrity | ||
| Availability |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4360 | Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected. | 2024年12月16日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5 | python3 | Unaffected |
| KY3.5.2 | python3 | Unaffected |
| KY3.5.3 | python3 | Unaffected |
| V6 | python3 | Unaffected |
