Описание
Security update for python
This update for python fixes the following issues:
- CVE-2022-0391: Fixed URL sanitization containing ASCII newline and tabs in urlparse (bsc#1195396).
- CVE-2021-4189: Fixed ftplib not to trust the PASV response (bsc#1194146).
- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).
Список пакетов
openSUSE Leap 15.3
Ссылки
- E-Mail link for openSUSE-SU-2022:1091-1
- SUSE Security Ratings
- SUSE Bug 1175619
- SUSE Bug 1186819
- SUSE Bug 1194146
- SUSE Bug 1195396
- SUSE CVE CVE-2021-3572 page
- SUSE CVE CVE-2021-4189 page
- SUSE CVE CVE-2022-0391 page
Описание
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Затронутые продукты
Ссылки
- CVE-2021-3572
- SUSE Bug 1186819
Описание
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
Затронутые продукты
Ссылки
- CVE-2021-4189
- SUSE Bug 1194146
Описание
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
Затронутые продукты
Ссылки
- CVE-2022-0391
- SUSE Bug 1195396
- SUSE Bug 1225672