Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2016:2653-1

Опубликовано: 26 окт. 2016
Источник: suse-cvrf

Описание

Security update for python3

This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

  • CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment variable based on user supplied Proxy request header. (bsc#989523)
  • CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to perform a startTLS stripping attack. (bsc#984751)
  • CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
  • CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client. (bsc#985348)

The update also includes the following non-security fixes:

  • Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement. (bsc#951166)
  • Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log: https://docs.python.org/3.4/whatsnew/changelog.html

Список пакетов

SUSE Linux Enterprise Desktop 12 SP1
libpython3_4m1_0-3.4.5-17.1
python3-3.4.5-17.1
python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web and Scripting 12
libpython3_4m1_0-3.4.5-17.1
python3-3.4.5-17.1
python3-base-3.4.5-17.1
SUSE Linux Enterprise Server 12 SP1
libpython3_4m1_0-3.4.5-17.1
python3-3.4.5-17.1
python3-base-3.4.5-17.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
libpython3_4m1_0-3.4.5-17.1
python3-3.4.5-17.1
python3-base-3.4.5-17.1
SUSE Linux Enterprise Software Development Kit 12 SP1
python3-devel-3.4.5-17.1

Ссылки

Описание

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libpython3_4m1_0-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web and Scripting 12:libpython3_4m1_0-3.4.5-17.1
Ссылки

Описание

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libpython3_4m1_0-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web and Scripting 12:libpython3_4m1_0-3.4.5-17.1
Ссылки

Описание

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libpython3_4m1_0-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web and Scripting 12:libpython3_4m1_0-3.4.5-17.1
Ссылки

Описание

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:libpython3_4m1_0-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-3.4.5-17.1
SUSE Linux Enterprise Desktop 12 SP1:python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web and Scripting 12:libpython3_4m1_0-3.4.5-17.1
Ссылки
Уязвимость SUSE-SU-2016:2653-1