Open-source Languages & Tools for z/OS

Jurgen Hildebrandt posted 11-08-2022 18:24

In the meantime I found this reference: https://nakedsecurity.sophos.com/2022/11/01/sha-3-code-execution-bug-patched-in-php-check-your-version/
It says:

>>> import hashlib
>>> hashlib.sha3_224
<built-in function openssl_sha3_224>

A vulnerable Python version will say something like <class '_sha3.sha3_224'> instead of referencing openssl_sha3_224.

And if I do so, I receive  <class '_sha3.sha3_224'>

python --version delivers:
Python 3.7.0 (tags/python-3.7.0-28-dirty:ea20976056, Dec 22 2020, 01:20:53) [C]

I have installed latest update with miniconda, but the result is still the same.

Python 3.7.0 (build 36, Apr 16 2021, 06:18:59) [C]

ROCKETEER Tatiana Balaburkina posted 11-09-2022 05:32

Hi Jurgen,

The latest Miniconda (miniconda-zos-2.0-2022-01-17.run) contains Python 3.9.5 in the base environment: 

$ python
Python 3.9.5 (heads/pyz_dev-3.9:7cc8dd352f, Nov 2 2021, 05:50:11) on zos
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.sha3_224
<built-in function openssl_sha3_224>

Python 3.7.0 is not supported anymore and will no longer get any security patches.

Jurgen Hildebrandt posted 11-09-2022 12:31

Hello Tatjana,
Thank you for your information. I have updated miniconda to the new version and can confirm, that the vulnerability is fixed.

Regards Jürgen

ROCKETEER Tatiana Balaburkina posted 11-10-2022 03:43

Jurgen,
Impact on the other z/OS ports within Rocket Open AppDev for Z is unknown and currently under analysis at high priority. Note that CVE fixes are made available immediately to customers on support contract and after a six month delay to all others. If you are entitled to support please open a case via the support portal to ensure you get a quick update should this vulnerability apply to one of the Open AppDev for Z ports.