SUSE-SU-2025:03127-1

Опубликовано: 10 сент. 2025

Источник: suse-cvrf

Описание

Security update for python-deepdiff

This update for python-deepdiff fixes the following issues:

CVE-2025-58367: class pollution via the Delta class constructor can lead to denial-of-service and remote code execution (bsc#1249347).

Список пакетов

openSUSE Leap 15.6

python311-deepdiff-6.3.0-150600.3.3.1

Ссылки

https://www.suse.com/support/update/announcement/2025/suse-su-202503127-1/
Link for SUSE-SU-2025:03127-1
https://lists.suse.com/pipermail/sle-updates/2025-September/041565.html
E-Mail link for SUSE-SU-2025:03127-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1249347
SUSE Bug 1249347
https://www.suse.com/security/cve/CVE-2025-58367/
SUSE CVE CVE-2025-58367 page

Описание

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.

Затронутые продукты

openSUSE Leap 15.6:python311-deepdiff-6.3.0-150600.3.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-58367.html
CVE-2025-58367
https://bugzilla.suse.com/1249347
SUSE Bug 1249347

SUSE-SU-2025:03127-1

Описание

Список пакетов

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2025-58367

Описание

Затронутые продукты

Ссылки