Описание
Security update for python3
This update for python3 fixes the following issues:
- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2018-20852: Fixed an incorrect domain validation that could lead to cookies being sent to the wrong server. (bsc#1141853)
Список пакетов
Image SLES12-SP4-Azure-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP4-EC2-HVM-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP4-GCE-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP4-OCI-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP4-SAP-Azure
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-Azure-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-EC2-HVM
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-EC2-HVM-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-GCE
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-GCE-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP4-SAP-OCI-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-Azure-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-Azure-Basic-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-Azure-HPC-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-Azure-HPC-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-Azure-SAP-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-Azure-SAP-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-Azure-Standard-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-EC2-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-EC2-ECS-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-EC2-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-EC2-SAP-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-EC2-SAP-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-GCE-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-GCE-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-GCE-SAP-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-GCE-SAP-On-Demand
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-OCI-BYOS-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
SUSE Linux Enterprise Desktop 12 SP4
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
SUSE Linux Enterprise Module for Web and Scripting 12
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
SUSE Linux Enterprise Server 12 SP4
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
SUSE Linux Enterprise Server 12 SP5
libpython3_4m1_0-3.4.6-25.34.2
libpython3_4m1_0-32bit-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
python3-tk-3.4.6-25.34.2
SUSE Linux Enterprise Server for SAP Applications 12 SP4
libpython3_4m1_0-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5
libpython3_4m1_0-3.4.6-25.34.2
libpython3_4m1_0-32bit-3.4.6-25.34.2
python3-3.4.6-25.34.2
python3-base-3.4.6-25.34.2
python3-curses-3.4.6-25.34.2
python3-tk-3.4.6-25.34.2
SUSE Linux Enterprise Software Development Kit 12 SP4
python3-dbm-3.4.6-25.34.2
python3-devel-3.4.6-25.34.2
SUSE Linux Enterprise Software Development Kit 12 SP5
python3-dbm-3.4.6-25.34.2
python3-devel-3.4.6-25.34.2
Ссылки
- Link for SUSE-SU-2019:2798-1
- E-Mail link for SUSE-SU-2019:2798-1
- SUSE Security Ratings
- SUSE Bug 1141853
- SUSE Bug 1149955
- SUSE CVE CVE-2018-20852 page
- SUSE CVE CVE-2019-16056 page
Описание
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
Затронутые продукты
Image SLES12-SP4-Azure-BYOS:libpython3_4m1_0-3.4.6-25.34.2
Image SLES12-SP4-Azure-BYOS:python3-3.4.6-25.34.2
Image SLES12-SP4-Azure-BYOS:python3-base-3.4.6-25.34.2
Image SLES12-SP4-EC2-HVM-BYOS:libpython3_4m1_0-3.4.6-25.34.2
Ссылки
- CVE-2018-20852
- SUSE Bug 1141853
Описание
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
Затронутые продукты
Image SLES12-SP4-Azure-BYOS:libpython3_4m1_0-3.4.6-25.34.2
Image SLES12-SP4-Azure-BYOS:python3-3.4.6-25.34.2
Image SLES12-SP4-Azure-BYOS:python3-base-3.4.6-25.34.2
Image SLES12-SP4-EC2-HVM-BYOS:libpython3_4m1_0-3.4.6-25.34.2
Ссылки
- CVE-2019-16056
- SUSE Bug 1149955