Описание
Security update for python-numpy
This update for python-numpy fixes the following issue:
Security issue fixed:
- CVE-2019-6446: Set allow_pickle to false by default to restrict loading untrusted content (bsc#1122208). With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by misusing numpy.load(). A warning during runtime will show-up when the allow_pickle is not explicitly set.
NOTE: By applying this update the behavior of python-numpy changes, which might break your application.
In order to get the old behaviour back, you have to explicitly set allow_pickle to True. Be aware
that this should only be done for trusted input, as loading untrusted input might lead to arbitrary code
execution.
Список пакетов
Container ses/6/cephcsi/cephcsi:latest
Container ses/6/rook/ceph:latest
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server
Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure
Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM
Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
SUSE Linux Enterprise Module for Basesystem 15
SUSE Linux Enterprise Module for HPC 15
Ссылки
- Link for SUSE-SU-2019:0418-1
- E-Mail link for SUSE-SU-2019:0418-1
- SUSE Security Ratings
- SUSE Bug 1122208
- SUSE CVE CVE-2019-6446 page
Описание
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
Затронутые продукты
Ссылки
- CVE-2019-6446
- SUSE Bug 1122208