Описание
Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets
This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets fixes the following issues:
grpc:
- Update in SLE-15 (bsc#1197726, bsc#1144068)
protobuf:
- Fix a potential DoS issue in protobuf-cpp and protobuf-python, CVE-2022-1941, bsc#1203681
- Fix a potential DoS issue when parsing with binary data in protobuf-java, CVE-2022-3171, bsc#1204256
- Fix potential Denial of Service in protobuf-java in the parsing procedure for binary data, CVE-2021-22569, bsc#1194530
- Add missing dependency of python subpackages on python-six (bsc#1177127)
- Updated to version 3.9.2 (bsc#1162343)
- Remove OSReadLittle* due to alignment requirements.
- Don't use unions and instead use memcpy for the type swaps.
- Disable LTO (bsc#1133277)
python-aiocontextvars:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-avro:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-cryptography:
- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331)
- SECURITY ISSUE: Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. CVE-2020-36242
python-cryptography-vectors:
- update to 3.2 (bsc#1178168, CVE-2020-25659):
- CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability.
- Support for OpenSSL 1.0.2 has been removed.
- Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.
- update to 3.3.2 (bsc#1198331)
python-Deprecated:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 1.2.13:
python-google-api-core:
- Update to 1.14.2
python-googleapis-common-protos:
- Update to 1.6.0
python-grpcio-gcp:
- Initial spec for v0.2.2
python-humanfriendly:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to 10.0
python-jsondiff:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.0
python-knack:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 0.9.0
python-opencensus:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Disable Python2 build
- Update to 0.8.0
python-opencensus-context:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-opencensus-ext-threading:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial build version 0.1.2
python-opentelemetry-api:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Version update to 1.5.0
python-psutil:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 5.9.1
- remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS. (bsc#1184753)
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-PyGithub:
- Update to 1.43.5:
python-pytest-asyncio:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial release of python-pytest-asyncio 0.8.0
python-requests:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-websocket-client:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.2
python-websockets:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 9.1:
Список пакетов
Container ses/7.1/cephcsi/cephcsi:latest
Container ses/7.1/rook/ceph:latest
Container suse/sle15:15.1
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-BYOS-Azure
Image SLES15-SP2-HPC-BYOS-Azure
Image SLES15-SP2-SAP-Azure
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-BYOS-Azure
Image SLES15-SP2-SAP-BYOS-EC2-HVM
Image SLES15-SP2-SAP-BYOS-GCE
Image SLES15-SP2-SAP-EC2-HVM
Image SLES15-SP2-SAP-GCE
Image SLES15-SP3-BYOS-Azure
Image SLES15-SP3-HPC-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
Image SLES15-SP3-SAP-Azure-LI-BYOS-Production
Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP3-SAP-BYOS-Azure
Image SLES15-SP3-SAPCAL-Azure
Image SLES15-SP4-SAP-Azure-LI-BYOS
Image SLES15-SP4-SAP-Azure-LI-BYOS-Production
Image SLES15-SP4-SAP-Azure-VLI-BYOS
Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP5-SAP-Azure-LI-BYOS
Image SLES15-SP5-SAP-Azure-LI-BYOS-Production
Image SLES15-SP5-SAP-Azure-VLI-BYOS
Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP6-SAP-Azure-LI-BYOS
Image SLES15-SP6-SAP-Azure-LI-BYOS-Production
Image SLES15-SP6-SAP-Azure-VLI-BYOS
Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
Ссылки
- Link for SUSE-SU-2023:2783-2
- E-Mail link for SUSE-SU-2023:2783-2
- SUSE Security Ratings
- SUSE Bug 1099269
- SUSE Bug 1133277
- SUSE Bug 1144068
- SUSE Bug 1162343
- SUSE Bug 1177127
- SUSE Bug 1178168
- SUSE Bug 1182066
- SUSE Bug 1184753
- SUSE Bug 1194530
- SUSE Bug 1197726
- SUSE Bug 1198331
- SUSE Bug 1199282
- SUSE Bug 1203681
- SUSE Bug 1204256
- SUSE CVE CVE-2018-1000518 page
- SUSE CVE CVE-2020-25659 page
- SUSE CVE CVE-2020-36242 page
Описание
aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5.
Затронутые продукты
Ссылки
- CVE-2018-1000518
- SUSE Bug 1099269
Описание
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Затронутые продукты
Ссылки
- CVE-2020-25659
- SUSE Bug 1178168
- SUSE Bug 1183152
- SUSE Bug 1218043
Описание
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Затронутые продукты
Ссылки
- CVE-2020-36242
- SUSE Bug 1182066
Описание
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Затронутые продукты
Ссылки
- CVE-2021-22569
- SUSE Bug 1194530
Описание
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Затронутые продукты
Ссылки
- CVE-2021-22570
- SUSE Bug 1195258
Описание
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Затронутые продукты
Ссылки
- CVE-2022-1941
- SUSE Bug 1203681
- SUSE Bug 1205141
Описание
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Затронутые продукты
Ссылки
- CVE-2022-3171
- SUSE Bug 1204256
- SUSE Bug 1206544
- SUSE Bug 1206545