Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2016:2120-1

Опубликовано: 19 авг. 2016
Источник: suse-cvrf

Описание

Security update for python3

This update for python3 fixes the following issues:

  • apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header (fixes boo#989523, CVE-2016-1000110)

  • update to 3.4.5 check: https://docs.python.org/3.4/whatsnew/changelog.html (fixes boo#984751, CVE-2016-0772) (fixes boo#985177, CVE-2016-5636) (fixes boo#985348, CVE-2016-5699)

  • Bump DH parameters to 2048 bit to fix logjam security issue. boo#935856

  • apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header: (fixes boo#989523, CVE-2016-1000110)

Список пакетов

openSUSE Leap 42.1
libpython3_4m1_0-3.4.5-8.1
libpython3_4m1_0-32bit-3.4.5-8.1
python3-3.4.5-8.1
python3-32bit-3.4.5-8.1
python3-base-3.4.5-8.1
python3-base-32bit-3.4.5-8.1
python3-curses-3.4.5-8.1
python3-dbm-3.4.5-8.1
python3-devel-3.4.5-8.1
python3-doc-3.4.5-8.1
python3-doc-pdf-3.4.5-8.1
python3-idle-3.4.5-8.1
python3-testsuite-3.4.5-8.1
python3-tk-3.4.5-8.1
python3-tools-3.4.5-8.1

Ссылки

Описание

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Затронутые продукты
openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1
openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1
openSUSE Leap 42.1:python3-3.4.5-8.1
openSUSE Leap 42.1:python3-32bit-3.4.5-8.1
Ссылки

Описание

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Затронутые продукты
openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1
openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1
openSUSE Leap 42.1:python3-3.4.5-8.1
openSUSE Leap 42.1:python3-32bit-3.4.5-8.1
Ссылки

Описание

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

Затронутые продукты
openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1
openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1
openSUSE Leap 42.1:python3-3.4.5-8.1
openSUSE Leap 42.1:python3-32bit-3.4.5-8.1
Ссылки

Описание

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

Затронутые продукты
openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1
openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1
openSUSE Leap 42.1:python3-3.4.5-8.1
openSUSE Leap 42.1:python3-32bit-3.4.5-8.1
Ссылки

Описание

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

Затронутые продукты
openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1
openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1
openSUSE Leap 42.1:python3-3.4.5-8.1
openSUSE Leap 42.1:python3-32bit-3.4.5-8.1
Ссылки
Уязвимость openSUSE-SU-2016:2120-1