Описание
Security update for python3
This update provides Python 3.4.5, which brings many fixes and enhancements.
The following security issues have been fixed:
- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client. (bsc#985348)
The update also includes the following non-security fixes:
- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement. (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)
For a comprehensive list of changes please refer to the upstream change log: https://docs.python.org/3.4/whatsnew/changelog.html
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP2
Ссылки
- Link for SUSE-SU-2016:2859-1
- E-Mail link for SUSE-SU-2016:2859-1
- SUSE Security Ratings
- SUSE Bug 951166
- SUSE Bug 983582
- SUSE Bug 984751
- SUSE Bug 985177
- SUSE Bug 985348
- SUSE Bug 989523
- SUSE Bug 991069
- SUSE CVE CVE-2016-0772 page
- SUSE CVE CVE-2016-1000110 page
- SUSE CVE CVE-2016-5636 page
- SUSE CVE CVE-2016-5699 page
Описание
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Затронутые продукты
Ссылки
- CVE-2016-0772
- SUSE Bug 984751
Описание
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Затронутые продукты
Ссылки
- CVE-2016-1000110
- SUSE Bug 988484
- SUSE Bug 989523
Описание
Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2016-5636
- SUSE Bug 1065451
- SUSE Bug 1106262
- SUSE Bug 985177
Описание
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Затронутые продукты
Ссылки
- CVE-2016-5699
- SUSE Bug 1122729
- SUSE Bug 1130840
- SUSE Bug 985348
- SUSE Bug 985351
- SUSE Bug 986630