vmware
Mixing "CVE" format pattern case for Python packages
Describe the bug
I noticed that in [1] and [2] there are a mix of CVE format pattern. Basically, there are lower and upper case.
Is there any specific reason why cve-2024-7592 is lowercase in both advisories?
Affecting Photon 5 and 4.
Refs [1] https://github.com/vmware/photon/wiki/Security-Update-5.0-386 [2] https://github.com/vmware/photon/wiki/Security-Update-4.0-704
Reproduction steps
- Download feed 5 or 4
- run
cve_data_photon5.0.json | jq '.[] | select (.cve_id == "cve-2024-7592")'
{
"cve_id": "cve-2024-7592",
"pkg": "python3",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-libs",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-xml",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-curses",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-devel",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-tools",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-test",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
{
"cve_id": "cve-2024-7592",
"pkg": "python3-macros",
"cve_score": 7.5,
"aff_ver": "all versions before 3.11.9-4.ph5 are vulnerable",
"res_ver": "3.11.9-4.ph5"
}
Expected behavior
a standard format pattern for CVE string
Additional context
No response
good catch, maybe @sikkamukul can provide insights on this.
@sikkamukul Beside the format issue, here‘s a Grok-based analysis upon the latest October 2025 Python patches. Nothing to worry about but good to know.
Necessary Patches for Photon OS Python Packages
The following table summarizes the latest upstream patches necessary for Photon OS Python SPECs. Focus is on security-critical updates (CVEs) and stability fixes that impact builds/runtimes. Upgrade SPECs by setting the source to the new tarball and applying any Photon-specific patches (e.g., for glibc 2.36+ compatibility).
| Python Branch | Latest October Patch | Key Security Fixes (CVEs) | Impact on Photon SPECs | Recommendation |
|---|---|---|---|---|
| 3.13.x (New in Photon 6.0 previews) | 3.13.8 (Oct 7, 2025) | - CVE-2025-4517: tarfile symlink bypass via crafted links. - Bundled libexpat 2.6.4: Fixes hash collision DoS (CVE-2025-4330). - ~50 stability fixes for ARM64 builds (relevant for Photon ARM support). |
High: Affects new container/edge builds. Update python3.spec source to 3.13.8 tarball. Rebuild dependents like pmd-python3.spec. |
Essential for new deployments. Test on linux-esx kernel. |
| 3.11.x (Photon OS 5.0 default) | No October release; use 3.11.13 (June 3, 2025) | - Inherited from June: CVE-2025-4138 (tarfile filter bypass). - OpenSSL 3.0.15 integration (CVE-2025-4435). |
Medium: Core runtime for Photon 5.0 tools (e.g., tdnf scripting). Backport tarfile fixes to python3.spec if not upgraded. |
Apply backports via SPEC patches. Monitor for 3.11.14 (expected Q4 2025). |
| 3.10.x (Photon OS 4.0 Rev2 default) | No October release; use 3.10.18 (irregular security-only) | - Inherited: CVE-2024-12718 (tarfile infinite loop). - Path truncation fix (CVE-2025-4330 variant). |
Medium: Legacy support in older containers. Update python3.spec for 4.0 branches. |
Backport security commits. EOL bugfixes; migrate to 5.0+. |
