SUSE-SU-2016:2653-1: moderate: Security update for python3

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Oct 26 10:25:39 MDT 2016


   SUSE Security Update: Security update for python3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:2653-1
Rating:             moderate
References:         #951166 #983582 #984751 #985177 #985348 #989523 
                    #991069 
Cross-References:   CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636
                    CVE-2016-5699
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP1
                    SUSE Linux Enterprise Server 12-SP1
                    SUSE Linux Enterprise Module for Web Scripting 12
                    SUSE Linux Enterprise Desktop 12-SP1
______________________________________________________________________________

   An update that solves four vulnerabilities and has three
   fixes is now available.

Description:


   This update provides Python 3.4.5, which brings many fixes and
   enhancements.

   The following security issues have been fixed:

   - CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY
     environment variable based on user supplied Proxy request header.
     (bsc#989523)
   - CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM
     attacker to perform a startTLS stripping attack. (bsc#984751)
   - CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
   - CVE-2016-5699: A header injection flaw in
     urrlib2/urllib/httplib/http.client. (bsc#985348)

   The update also includes the following non-security fixes:

   - Don't force 3rd party C extensions to be built with
     -Werror=declaration-after-statement. (bsc#951166)
   - Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

   For a comprehensive list of changes please refer to the upstream change
   log: https://docs.python.org/3.4/whatsnew/changelog.html


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP1:

      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1558=1

   - SUSE Linux Enterprise Server 12-SP1:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1558=1

   - SUSE Linux Enterprise Module for Web Scripting 12:

      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1558=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1558=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):

      python3-base-debuginfo-3.4.5-17.1
      python3-base-debugsource-3.4.5-17.1
      python3-devel-3.4.5-17.1
      python3-devel-debuginfo-3.4.5-17.1

   - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

      libpython3_4m1_0-3.4.5-17.1
      libpython3_4m1_0-debuginfo-3.4.5-17.1
      python3-3.4.5-17.1
      python3-base-3.4.5-17.1
      python3-base-debuginfo-3.4.5-17.1
      python3-base-debugsource-3.4.5-17.1
      python3-debuginfo-3.4.5-17.1
      python3-debugsource-3.4.5-17.1

   - SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64):

      libpython3_4m1_0-3.4.5-17.1
      libpython3_4m1_0-debuginfo-3.4.5-17.1
      python3-3.4.5-17.1
      python3-base-3.4.5-17.1
      python3-base-debuginfo-3.4.5-17.1
      python3-base-debugsource-3.4.5-17.1
      python3-debuginfo-3.4.5-17.1
      python3-debugsource-3.4.5-17.1

   - SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

      libpython3_4m1_0-3.4.5-17.1
      libpython3_4m1_0-debuginfo-3.4.5-17.1
      python3-3.4.5-17.1
      python3-base-3.4.5-17.1
      python3-base-debuginfo-3.4.5-17.1
      python3-base-debugsource-3.4.5-17.1
      python3-debuginfo-3.4.5-17.1
      python3-debugsource-3.4.5-17.1


References:

   https://www.suse.com/security/cve/CVE-2016-0772.html
   https://www.suse.com/security/cve/CVE-2016-1000110.html
   https://www.suse.com/security/cve/CVE-2016-5636.html
   https://www.suse.com/security/cve/CVE-2016-5699.html
   https://bugzilla.suse.com/951166
   https://bugzilla.suse.com/983582
   https://bugzilla.suse.com/984751
   https://bugzilla.suse.com/985177
   https://bugzilla.suse.com/985348
   https://bugzilla.suse.com/989523
   https://bugzilla.suse.com/991069



More information about the sle-security-updates mailing list