SUSE-SU-2021:0048-1: moderate: Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jan 8 10:18:07 MST 2021 

   SUSE Security Update: Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:0048-1
Rating:             moderate
References:         #1019074 #1041090 #1177200 
Cross-References:   CVE-2017-11427
Affected Products:
                    SUSE Enterprise Storage 6
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for python-defusedxml, python-freezegun, python-pkgconfig,
   python-python3-saml, python-xmlsec fixes the following issues:


   - Update to 0.6.0
     - Increase test coverage.
     - Add badges to README.
     - Test on Python 3.7 stable and 3.8-dev
     - Drop support for Python 3.4
     - No longer pass *html* argument to XMLParse. It has been deprecated and
       ignored for a long time. The DefusedXMLParser still takes a html
       argument. A deprecation warning is issued when the argument is False
       and a TypeError when it's True.
     - defusedxml now fails early when pyexpat stdlib module is not available
       or broken.
     - defusedxml.ElementTree.__all__ now lists ParseError as public
       attribute.
     - The defusedxml.ElementTree and defusedxml.cElementTree modules had a
       typo and used XMLParse instead of XMLParser as an alias for
       DefusedXMLParser. Both the old and fixed name are now available.

   - Remove superfluous devel dependency for noarch package

   - Update to 5.0
     * Add compatibility with Python 3.6
     * Drop support for Python 2.6, 3.1, 3.2, 3.3
     * Fix lxml tests (XMLSyntaxError: Detected an entity reference loop)
   - Implement single-spec version.

   - Dummy changelog for bsc#1019074, FATE#322329

   - Add dependency on the full python (which is not pulled by setuptools
     anymore). Use %{pythons} macro now. (bsc#1177200)

   - Upgrade to 0.3.12:
     * Refactor classes to functions
     * Ignore Selenium
     * Move to pytest
     * Conditionally patch time.clock (removed in 3.8)
     * Patch time.time_ns added in Python 3.7

   - Do not require python2 module for building python3 module

   - Update to 0.3.11:
       * Performance improvements
       * Fix nesting time.time
       * Add nanosecond property

   - Remove superfluous devel dependency for noarch package

   - Add remove_dependency_on_mock.patch which removes dependency on
     python-mock for Python 3, where it is not required.

   - update to 0.3.10
    * Performance improvements
    * Coroutine support

   - update to version 0.3.9
     * If no time to be frozen, use current time
     * Fix uuid1 issues
     * Add support for python 3.6

   update to version 0.3.8
     * Improved unpatching when importing modules after freeze_time start()
     * Add manual increment via tick method
     * Fix bug with time.localtime not being reset. Closes #112.
     * Fix test to work when current timezone is GMT-14 or GMT+14.
     * Fixed #162 - allow decorating old-style classes.
     * Add support to PyMySQL
     * Assume the default time to freeze is "now".
     * Register fake types in PyMySQL conversions
     * Ignore threading and Queue modules. Closes #129.
     * Lock down coverage version since new coverage doesnt support py3.2
     * Fix or py3 astimezone and not passing tz. Closes #138.
     * Add note about deafult arguments. Closes #140.
     * Add license info. Closes #120.

   - Update to 0.3.5
     * No upstream changelog
   - Remove unneeded freeze_hideDeps.patch

   - Use download Url as source
   - Use tarball provided by pypi

   - update to 1.5.1
     * Use poetry instead of setuptools directly
     * Fix #42: raise exception if package is missing
     * Fix version parsing for openssl-like version numbers, fixes #32
     * Add boolean static keyword to output private libraries as well
     * Raise original OSError as well

   - Add missing test dependency pkgconfig


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Enterprise Storage 6:

      zypper in -t patch SUSE-Storage-6-2021-48=1



Package List:

   - SUSE Enterprise Storage 6 (aarch64 x86_64):

      python3-xmlsec-1.3.6-1.5.1
      python3-xmlsec-debuginfo-1.3.6-1.5.1

   - SUSE Enterprise Storage 6 (noarch):

      python3-defusedxml-0.6.0-1.5.1
      python3-freezegun-0.3.12-1.5.1
      python3-isodate-0.6.0-1.3.2
      python3-pkgconfig-1.5.1-1.5.1
      python3-python3-saml-1.9.0-1.5.2


References:

   https://www.suse.com/security/cve/CVE-2017-11427.html
   https://bugzilla.suse.com/1019074
   https://bugzilla.suse.com/1041090
   https://bugzilla.suse.com/1177200

More information about the sle-security-updates mailing list