Описание
Security update for python312
This update for python312 fixes the following issues:
- Update to 3.12.6
- CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module. (bsc#1228780).
- CVE-2024-7592: Fixed Email header injection due to unquoted newlines. (bsc#1229596)
- CVE-2024-6232: Fixed ReDos via excessive backtracking while parsing header values. (bsc#1230227)
- CVE-2024-8088: Fixed denial of service in zipfile. (bsc#1229704)
Список пакетов
Container bci/python:latest
SUSE Linux Enterprise Module for Python 3 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2024:3303-1
- E-Mail link for SUSE-SU-2024:3303-1
- SUSE Security Ratings
- SUSE Bug 1227999
- SUSE Bug 1228780
- SUSE Bug 1229596
- SUSE Bug 1229704
- SUSE Bug 1230227
- SUSE CVE CVE-2024-6232 page
- SUSE CVE CVE-2024-6923 page
- SUSE CVE CVE-2024-7592 page
- SUSE CVE CVE-2024-8088 page
Описание
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
Затронутые продукты
Ссылки
- CVE-2024-6232
- SUSE Bug 1230227
Описание
There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
Затронутые продукты
Ссылки
- CVE-2024-6923
- SUSE Bug 1228780
Описание
There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
Затронутые продукты
Ссылки
- CVE-2024-7592
- SUSE Bug 1229596
Описание
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
Затронутые продукты
Ссылки
- CVE-2024-8088
- SUSE Bug 1229704