Devin Jeanpierre

**Name of the Vulnerable Software and Affected Versions** Python versions through 3.9.1 Python version 3.12.0b1 **Description** The issue is related to the hmac.compare digest function in the Lib/hmac.py module, where constant-time-defeating optimisations were possible in the accumulator variable. This could potentially allow a remote attacker to elevate their privileges due to a race condition. Additionally, an XML External Entity (XXE) issue was discovered, which has been mitigated by the plistlib module no longer accepting entity declarations in XML plist files. There is also an issue in the asyncio. swap current task() component that allows an attacker to obtain sensitive information. **Recommendations** For Python versions through 3.9.1, consider updating to a version where the hmac.compare digest function has been patched to prevent constant-time-defeating optimisations. For Python version 3.12.0b1, restrict access to the asyncio. swap current task() component to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of entity declarations in XML plist files until the issue is resolved. Avoid using the plistlib module with untrusted XML plist files until the XXE issue is fully addressed.

**Name of the Vulnerable Software and Affected Versions** Python versions 3.9.x through 3.9.15 Python versions 3.10.x through 3.10.8 **Description** The issue is related to the Python multiprocessing library when used with the forkserver start method on Linux, allowing pickles to be deserialized from any user in the same machine local network namespace. This can lead to local user privilege escalation to the user that any forkserver process is running as, as pickles can execute arbitrary code. The forkserver start method is not the default start method, and this issue is Linux specific due to the support of abstract namespace sockets. **Recommendations** For Python versions 3.9.x through 3.9.15, set multiprocessing.util.abstract sockets supported to False as a workaround. For Python versions 3.10.x through 3.10.8, set multiprocessing.util.abstract sockets supported to False as a workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.