Описание
Security update for python
This update for python fixes the following issues:
- bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers.
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.2
libpython2_7-1_0-2.7.17-lp152.3.6.2
libpython2_7-1_0-32bit-2.7.17-lp152.3.6.2
python-2.7.17-lp152.3.6.1
python-32bit-2.7.17-lp152.3.6.1
python-base-2.7.17-lp152.3.6.2
python-base-32bit-2.7.17-lp152.3.6.2
python-curses-2.7.17-lp152.3.6.1
python-demo-2.7.17-lp152.3.6.1
python-devel-2.7.17-lp152.3.6.2
python-doc-2.7.17-lp152.3.6.1
python-doc-pdf-2.7.17-lp152.3.6.1
python-gdbm-2.7.17-lp152.3.6.1
python-idle-2.7.17-lp152.3.6.1
python-tk-2.7.17-lp152.3.6.1
python-xml-2.7.17-lp152.3.6.2
Ссылки
- E-Mail link for openSUSE-SU-2020:1988-1
- SUSE Security Ratings
- SUSE Bug 1177211
- SUSE CVE CVE-2020-26116 page
Описание
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
Затронутые продукты
openSUSE Leap 15.2:libpython2_7-1_0-2.7.17-lp152.3.6.2
openSUSE Leap 15.2:libpython2_7-1_0-32bit-2.7.17-lp152.3.6.2
openSUSE Leap 15.2:python-2.7.17-lp152.3.6.1
openSUSE Leap 15.2:python-32bit-2.7.17-lp152.3.6.1
Ссылки
- CVE-2020-26116
- SUSE Bug 1177120
- SUSE Bug 1177211
- SUSE Bug 1192361