Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:2884-1

Опубликовано: 19 июл. 2023
Источник: suse-cvrf

Описание

Security update for python310

This update for python310 fixes the following issues:

  • Make marshalling of set and frozenset deterministic (bsc#1211765)

python310 was updated to 3.10.12:

  • urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471).
  • Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.
  • Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.
  • trace.main now uses io.open_code() for files to be executed instead of raw open().
  • CVE-2007-4559: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing bsc#1203750).

Список пакетов

Container bci/python:3
libpython3_10-1_0-3.10.12-150400.4.30.1
python310-3.10.12-150400.4.30.1
python310-base-3.10.12-150400.4.30.1
python310-devel-3.10.12-150400.4.30.1
SUSE Linux Enterprise Module for Python 3 15 SP4
libpython3_10-1_0-3.10.12-150400.4.30.1
python310-3.10.12-150400.4.30.1
python310-base-3.10.12-150400.4.30.1
python310-curses-3.10.12-150400.4.30.1
python310-dbm-3.10.12-150400.4.30.1
python310-devel-3.10.12-150400.4.30.1
python310-idle-3.10.12-150400.4.30.1
python310-tk-3.10.12-150400.4.30.1
python310-tools-3.10.12-150400.4.30.1
openSUSE Leap 15.4
libpython3_10-1_0-3.10.12-150400.4.30.1
libpython3_10-1_0-32bit-3.10.12-150400.4.30.1
python310-3.10.12-150400.4.30.1
python310-32bit-3.10.12-150400.4.30.1
python310-base-3.10.12-150400.4.30.1
python310-base-32bit-3.10.12-150400.4.30.1
python310-curses-3.10.12-150400.4.30.1
python310-dbm-3.10.12-150400.4.30.1
python310-devel-3.10.12-150400.4.30.1
python310-doc-3.10.12-150400.4.30.1
python310-doc-devhelp-3.10.12-150400.4.30.1
python310-idle-3.10.12-150400.4.30.1
python310-testsuite-3.10.12-150400.4.30.1
python310-tk-3.10.12-150400.4.30.1
python310-tools-3.10.12-150400.4.30.1
openSUSE Leap 15.5
libpython3_10-1_0-3.10.12-150400.4.30.1
libpython3_10-1_0-32bit-3.10.12-150400.4.30.1
python310-3.10.12-150400.4.30.1
python310-32bit-3.10.12-150400.4.30.1
python310-base-3.10.12-150400.4.30.1
python310-base-32bit-3.10.12-150400.4.30.1
python310-curses-3.10.12-150400.4.30.1
python310-dbm-3.10.12-150400.4.30.1
python310-devel-3.10.12-150400.4.30.1
python310-doc-3.10.12-150400.4.30.1
python310-doc-devhelp-3.10.12-150400.4.30.1
python310-idle-3.10.12-150400.4.30.1
python310-testsuite-3.10.12-150400.4.30.1
python310-tk-3.10.12-150400.4.30.1
python310-tools-3.10.12-150400.4.30.1

Ссылки

Описание

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Затронутые продукты
Container bci/python:3:libpython3_10-1_0-3.10.12-150400.4.30.1
Container bci/python:3:python310-3.10.12-150400.4.30.1
Container bci/python:3:python310-base-3.10.12-150400.4.30.1
Container bci/python:3:python310-devel-3.10.12-150400.4.30.1
Ссылки

Описание

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Затронутые продукты
Container bci/python:3:libpython3_10-1_0-3.10.12-150400.4.30.1
Container bci/python:3:python310-3.10.12-150400.4.30.1
Container bci/python:3:python310-base-3.10.12-150400.4.30.1
Container bci/python:3:python310-devel-3.10.12-150400.4.30.1
Ссылки