SUSE-SU-2024:3924-1

Опубликовано: 06 нояб. 2024

Источник: suse-cvrf

Описание

Security update for python310

This update for python310 fixes the following issues:

CVE-2024-9287: Fixed quoted path names provided when creating a virtual environment (bsc#1232241).

Bug fixes:

Drop .pyc files from docdir for reproducible builds (bsc#1230906).

Список пакетов

openSUSE Leap 15.5

libpython3_10-1_0-3.10.15-150400.4.60.1

libpython3_10-1_0-32bit-3.10.15-150400.4.60.1

python310-3.10.15-150400.4.60.1

python310-32bit-3.10.15-150400.4.60.1

python310-base-3.10.15-150400.4.60.1

python310-base-32bit-3.10.15-150400.4.60.1

python310-curses-3.10.15-150400.4.60.1

python310-dbm-3.10.15-150400.4.60.1

python310-devel-3.10.15-150400.4.60.1

python310-doc-3.10.15-150400.4.60.1

python310-doc-devhelp-3.10.15-150400.4.60.1

python310-idle-3.10.15-150400.4.60.1

python310-testsuite-3.10.15-150400.4.60.1

python310-tk-3.10.15-150400.4.60.1

python310-tools-3.10.15-150400.4.60.1

openSUSE Leap 15.6

libpython3_10-1_0-3.10.15-150400.4.60.1

libpython3_10-1_0-32bit-3.10.15-150400.4.60.1

python310-3.10.15-150400.4.60.1

python310-32bit-3.10.15-150400.4.60.1

python310-base-3.10.15-150400.4.60.1

python310-base-32bit-3.10.15-150400.4.60.1

python310-curses-3.10.15-150400.4.60.1

python310-dbm-3.10.15-150400.4.60.1

python310-devel-3.10.15-150400.4.60.1

python310-doc-3.10.15-150400.4.60.1

python310-doc-devhelp-3.10.15-150400.4.60.1

python310-idle-3.10.15-150400.4.60.1

python310-testsuite-3.10.15-150400.4.60.1

python310-tk-3.10.15-150400.4.60.1

python310-tools-3.10.15-150400.4.60.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20243924-1/
Link for SUSE-SU-2024:3924-1
https://lists.suse.com/pipermail/sle-security-updates/2024-November/019780.html
E-Mail link for SUSE-SU-2024:3924-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1230906
SUSE Bug 1230906
https://bugzilla.suse.com/1232241
SUSE Bug 1232241
https://www.suse.com/security/cve/CVE-2024-9287/
SUSE CVE CVE-2024-9287 page

Описание

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Затронутые продукты

openSUSE Leap 15.5:libpython3_10-1_0-3.10.15-150400.4.60.1

openSUSE Leap 15.5:libpython3_10-1_0-32bit-3.10.15-150400.4.60.1

openSUSE Leap 15.5:python310-3.10.15-150400.4.60.1

openSUSE Leap 15.5:python310-32bit-3.10.15-150400.4.60.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-9287.html
CVE-2024-9287
https://bugzilla.suse.com/1232241
SUSE Bug 1232241

SUSE-SU-2024:3924-1

Описание

Список пакетов

openSUSE Leap 15.5

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2024-9287

Описание

Затронутые продукты

Ссылки