Описание
Security update for python310
This update for python310 fixes the following issues:
Updated to version 3.10.7:
- CVE-2020-10735: Fixed DoS due to missing limit of amount of digits when converting text to int (bsc#1203125).
- CVE-2021-28861: Fixed an open redirect in the http server when an URI path starts with // (bsc#1202624).
Список пакетов
Container bci/python:3
SUSE Linux Enterprise Module for Python 3 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2022:3473-1
- E-Mail link for SUSE-SU-2022:3473-1
- SUSE Security Ratings
- SUSE Bug 1202624
- SUSE Bug 1203125
- SUSE CVE CVE-2020-10735 page
- SUSE CVE CVE-2021-28861 page
Описание
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Затронутые продукты
Ссылки
- CVE-2020-10735
- SUSE Bug 1203125
- SUSE Bug 1204077
- SUSE Bug 1204096
- SUSE Bug 1204097
- SUSE Bug 1205075
- SUSE Bug 1208131
Описание
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Затронутые продукты
Ссылки
- CVE-2021-28861
- SUSE Bug 1202624
- SUSE Bug 1204077
- SUSE Bug 1204801
- SUSE Bug 1204802
- SUSE Bug 1205068
- SUSE Bug 1205075
- SUSE Bug 1205467