FERRAMENTAS LINUX: Fedora 41 PyPy 7.3.20 Update: Critical Security Patches for Python JIT Compiler

domingo, 20 de julho de 2025

Fedora 41 PyPy 7.3.20 Update: Critical Security Patches for Python JIT Compiler

 

Fedora

Fedora 41’s critical PyPy 7.3.20 update patches 3 severe CVEs (CVE-2025-47273, CVE-2024-47081, CVE-2025-50181) in pip/setuptools. Learn how to secure your Python JIT compiler, fix path traversal risks, and apply the update via DNF. Includes changelog, bug references, and upgrade instructions.

Fedora 41 PyPy 7.3.20 Update: Critical Security Patches for Python JIT Compiler

Fedora 41 has rolled out an urgent update for PyPy, its high-performance Python implementation featuring a Just-In-Time (JIT) compiler

This release (7.3.20) addresses three critical vulnerabilities—CVE-2025-47273, CVE-2024-47081, and CVE-2025-50181—impacting pip and setuptools. Here’s what developers and sysadmins need to know.

Key Security Fixes in PyPy 7.3.20

  1. CVE-2025-47273: Path traversal vulnerability in setuptools.PackageIndex (Bug #2367430).

  2. CVE-2024-47081.netrc credentials leak via malicious URLs in requests (Bug #2372476).

  3. CVE-2025-50181urllib3 redirects bypass retry-disabled settings (Bug #2373817).

Why this matters:

  • Exploits could lead to arbitrary code executiondata leaks, or supply-chain attacks

  • PyPy’s JIT optimizations (enabled in this build) make it a high-value target for attackers.

How to Apply the Update

Run the following command:

bash
sudo dnf upgrade --advisory FEDORA-2025-9b8da6ad7e

For enterprise users: Test in staging first—PyPy’s JIT can impact performance-sensitive workloads.

Technical Deep Dive: PyPy’s Optimizations

PyPy isn’t just a Python interpreter—it’s a JIT-powered runtime that optimizes:

  • Standard types: Strings, dictionaries, and lists run 5–10x faster than CPython.

  • Memory usage: Ideal for long-running processes (e.g., web servers).

⚠️ Warning: JIT compilation is enabled by default in this build. Benchmark after upgrading.

Changelog & References

  • 7.3.20-1: Fixes Bug #2376234 (upstream compatibility).

  • 7.3.19-2: Initial CVE patches (Backported to Fedora 41).

Official Bug Reports:

  1. CVE-2025-47273

  2. CVE-2024-47081

  3. CVE-2025-50181

FAQs

Q: Does this affect CPython?

A: No—these CVEs are specific to PyPy’s setuptools/urllib3 integrations.

Q: How urgent is the update?

A: Critical if you use PyPy with untrusted packages (e.g., public PyPI downloads).

Q: Can I disable JIT for security?

A: Yes, but performance drops significantly. Use PYTHONJIT=0 env var.


Cezar Henrique at
Marcadores: Linux, Android, Segurança ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)