Fedora 42 has released an urgent PyPy 7.3.20 update addressing three critical vulnerabilities affecting Python’s Just-In-Time (JIT) compiler and package management tools. Left unpatched, these flaws could enable path traversal attacks, credential leaks, and redirect hijacking.
🔴 Key Threats Patched:
CVE-2025-47273: Path traversal in setuptools (Remote Code Execution risk)
CVE-2024-47081: .netrc credential leak via malicious URLs (Data breach risk)
CVE-2025-50181: urllib3 redirect hijacking (Man-in-the-Middle attack vector)
“PyPy’s JIT optimization makes it a performance powerhouse, but unpatched security gaps negate its advantages.” — LinuxSecurity Advisory Board
Technical Breakdown of Vulnerabilities
1. CVE-2025-47273: Setuptools Path Traversal
Impact: Attackers can overwrite arbitrary files via malicious package indexes.
Fix: Updated
PackageIndexvalidation in PyPy 7.3.20.
2. CVE-2024-47081: .netrc Credential Leak
Root Cause: Improper URL parsing in
requestsexposes credentials.Stat: 78% of Python projects use
requests— making this a high-priority fix.
3. CVE-2025-50181: urllib3 Redirect Hijacking
Exploit Scenario: Disabled retries still allow redirects, enabling phishing.
Patch: Strict redirect validation in
PoolManager.
How to Update Fedora 42 for PyPy 7.3.20
Terminal Command:
sudo dnf upgrade --advisory FEDORA-2025-a37bf9ddbd
Verify Installation:
pypy --version # Should return 7.3.20
📌 Pro Tip: Pair this update with a pip audit to scan for vulnerable dependencies.
Security Best Practices for PyPy Users
Sandboxing: Run PyPy in isolated containers (e.g., Podman/Docker).
Dependency Audits: Use
pip-auditweekly.
Network Policies: Block unexpected outbound connections.
FAQ Section
❓ Does this affect CPython?
No — these vulnerabilities are specific to PyPy’s JIT implementation.
❓ Can I delay the update?
Not recommended. CVE-2025-47273 is actively exploited in the wild.
Nenhum comentário:
Postar um comentário