Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:1862-1

Опубликовано: 30 мая 2024
Источник: suse-cvrf

Описание

Security update for python

This update for python fixes the following issues:

  • CVE-2023-52425: Fixed using the system libexpat (bsc#1219559).
  • CVE-2023-27043: Modifed fix for unicode string handling in email.utils.parseaddr() (bsc#1222537).
  • CVE-2022-48560: Fixed use-after-free in Python via heappushpop in heapq (bsc#1214675).
  • CVE-2024-0450: Detect the vulnerability of the 'quoted-overlap' zipbomb (bsc#1221854).

Bug fixes:

  • Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306).
  • Build with -std=gnu89 to build correctly with gcc14 (bsc#1220970).
  • Switch from %patchN style to the %patch -P N one.

Список пакетов

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
libpython2_7-1_0-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
libpython2_7-1_0-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
Image SLES15-SP3-SAP-Azure-LI-BYOS-Production
libpython2_7-1_0-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production
libpython2_7-1_0-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
Image SLES15-SP3-SAPCAL-Azure
libpython2_7-1_0-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
Image SLES15-SP3-SAPCAL-EC2-HVM
libpython2_7-1_0-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
Image SLES15-SP3-SAPCAL-GCE
libpython2_7-1_0-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
SUSE Linux Enterprise Module for Package Hub 15 SP5
libpython2_7-1_0-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-curses-2.7.18-150000.65.1
python-devel-2.7.18-150000.65.1
python-gdbm-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
SUSE Linux Enterprise Module for Package Hub 15 SP6
libpython2_7-1_0-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-curses-2.7.18-150000.65.1
python-gdbm-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
openSUSE Leap 15.5
libpython2_7-1_0-2.7.18-150000.65.1
libpython2_7-1_0-32bit-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-32bit-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-base-32bit-2.7.18-150000.65.1
python-curses-2.7.18-150000.65.1
python-demo-2.7.18-150000.65.1
python-devel-2.7.18-150000.65.1
python-doc-2.7.18-150000.65.1
python-doc-pdf-2.7.18-150000.65.1
python-gdbm-2.7.18-150000.65.1
python-idle-2.7.18-150000.65.1
python-tk-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1
openSUSE Leap 15.6
libpython2_7-1_0-2.7.18-150000.65.1
libpython2_7-1_0-32bit-2.7.18-150000.65.1
python-2.7.18-150000.65.1
python-32bit-2.7.18-150000.65.1
python-base-2.7.18-150000.65.1
python-base-32bit-2.7.18-150000.65.1
python-curses-2.7.18-150000.65.1
python-demo-2.7.18-150000.65.1
python-devel-2.7.18-150000.65.1
python-doc-2.7.18-150000.65.1
python-doc-pdf-2.7.18-150000.65.1
python-gdbm-2.7.18-150000.65.1
python-idle-2.7.18-150000.65.1
python-tk-2.7.18-150000.65.1
python-xml-2.7.18-150000.65.1

Ссылки

Описание

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Затронутые продукты
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python-base-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python-base-2.7.18-150000.65.1
Ссылки

Описание

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Затронутые продукты
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python-base-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python-base-2.7.18-150000.65.1
Ссылки

Описание

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Затронутые продукты
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python-base-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python-base-2.7.18-150000.65.1
Ссылки

Описание

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Затронутые продукты
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:python-base-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:libpython2_7-1_0-2.7.18-150000.65.1
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:python-base-2.7.18-150000.65.1
Ссылки
Уязвимость SUSE-SU-2024:1862-1