Описание
Security update for python
Python was updated to fix three security issues.
The following vulnerabilities were fixed:
- CVE-2016-0772: TLS stripping attack on smtplib (bsc#984751)
- CVE-2016-5636: zipimporter heap overflow (bsc#985177)
- CVE-2016-5699: httplib header injection (bsc#985348)
This update also includes all upstream bug fixes and improvements in Python 2.7.12.
It also includes the following packaging changes:
- reintroduce support for CA directory path
The following tracked packaging issues were fixed:
- broken overflow checks (bsc#964182)
Список пакетов
openSUSE Leap 42.1
Ссылки
- E-Mail link for openSUSE-SU-2016:1885-1
- SUSE Security Ratings
Описание
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Затронутые продукты
Ссылки
- CVE-2016-0772
- SUSE Bug 984751
Описание
Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2016-5636
- SUSE Bug 1065451
- SUSE Bug 1095424
- SUSE Bug 1106262
- SUSE Bug 985177
Описание
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Затронутые продукты
Ссылки
- CVE-2016-5699
- SUSE Bug 1122729
- SUSE Bug 1130840
- SUSE Bug 985348
- SUSE Bug 985351
- SUSE Bug 986630