SUSE-CU-2022:1435-1: Security update of bci/python
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Jul 7 08:17:07 UTC 2022
SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1435-1
Container Tags : bci/python:3 , bci/python:3.10 , bci/python:3.10-4.10 , bci/python:latest
Container Release : 4.10
Severity : important
Type : security
References : 1185637 1196025 1196026 1196168 1196169 1196171 1196784 1198511
1199166 1200550 1200734 1200735 1200736 1200737 1201099 CVE-2015-20107
CVE-2022-1292 CVE-2022-2068 CVE-2022-2097 CVE-2022-25235 CVE-2022-25236
CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-32205 CVE-2022-32206
CVE-2022-32207 CVE-2022-32208
-----------------------------------------------------------------
The container bci/python was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2291-1
Released: Wed Jul 6 13:04:37 2022
Summary: Security update for python310
Type: security
Severity: important
References: 1198511,CVE-2015-20107
This update for python310 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
- Update to 3.10.5:
- Core and Builtins
- gh-93418: Fixed an assert where an f-string has an equal
sign '=' following an expression, but there's no trailing
brace. For example, f'{i='.
- gh-91924: Fix __ltrace__ debug feature if the stdout
encoding is not UTF-8. Patch by Victor Stinner.
- gh-93061: Backward jumps after async for loops are no
longer given dubious line numbers.
- gh-93065: Fix contextvars HAMT implementation to handle
iteration over deep trees.
- The bug was discovered and fixed by Eli Libman. See
MagicStack/immutables#84 for more details.
- gh-92311: Fixed a bug where setting frame.f_lineno to jump
over a list comprehension could misbehave or crash.
- gh-92112: Fix crash triggered by an evil custom mro() on
a metaclass.
- gh-92036: Fix a crash in subinterpreters related to the
garbage collector. When a subinterpreter is deleted,
untrack all objects tracked by its GC. To prevent a crash
in deallocator functions expecting objects to be tracked by
the GC, leak a strong reference to these objects on
purpose, so they are never deleted and their deallocator
functions are not called. Patch by Victor Stinner.
- gh-91421: Fix a potential integer overflow in
_Py_DecodeUTF8Ex.
- bpo-47212: Raise IndentationError instead of SyntaxError
for a bare except with no following indent. Improve
SyntaxError locations for an un-parenthesized generator
used as arguments. Patch by Matthieu Dartiailh.
- bpo-47182: Fix a crash when using a named unicode character
like '\N{digit nine}' after the main interpreter has been
initialized a second time.
- bpo-47117: Fix a crash if we fail to decode characters in
interactive mode if the tokenizer buffers are
uninitialized. Patch by Pablo Galindo.
- bpo-39829: Removed the __len__() call when initializing
a list and moved initializing to list_extend. Patch by
Jeremiah Pascual.
- bpo-46962: Classes and functions that unconditionally
declared their docstrings ignoring the
--without-doc-strings compilation flag no longer do so.
- The classes affected are ctypes.UnionType,
pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and
types.GenericAlias.
- The functions affected are 24 methods in ctypes.
- Patch by Oleg Iarygin.
- bpo-36819: Fix crashes in built-in encoders with error
handlers that return position less or equal than the
starting position of non-encodable characters.
- Library
- gh-93156: Accessing the pathlib.PurePath.parents sequence
of an absolute path using negative index values produced
incorrect results.
- gh-89973: Fix re.error raised in fnmatch if the pattern
contains a character range with upper bound lower than
lower bound (e.g. [c-a]). Now such ranges are interpreted
as empty ranges.
- gh-93010: In a very special case, the email package tried
to append the nonexistent InvalidHeaderError to the defect
list. It should have been InvalidHeaderDefect.
- gh-92839: Fixed crash resulting from calling
bisect.insort() or bisect.insort_left() with the key
argument not equal to None.
- gh-91581: utcfromtimestamp() no longer attempts to resolve
fold in the pure Python implementation, since the fold is
never 1 in UTC. In addition to being slightly faster in the
common case, this also prevents some errors when the
timestamp is close to datetime.min. Patch by Paul Ganssle.
- gh-92530: Fix an issue that occurred after interrupting
threading.Condition.notify().
- gh-92049: Forbid pickling constants re._constants.SUCCESS
etc. Previously, pickling did not fail, but the result
could not be unpickled.
- bpo-47029: Always close the read end of the pipe used by
multiprocessing.Queue after the last write of buffered data
to the write end of the pipe to avoid BrokenPipeError at
garbage collection and at multiprocessing.Queue.close()
calls. Patch by Géry Ogam.
- gh-91401: Provide a fail-safe way to disable subprocess use
of vfork() via a private subprocess._USE_VFORK attribute.
While there is currently no known need for this, if you
find a need please only set it to False. File a CPython
issue as to why you needed it and link to that from
a comment in your code. This attribute is documented as
a footnote in 3.11.
- gh-91910: Add missing f prefix to f-strings in error
messages from the multiprocessing and asyncio modules.
- gh-91810: ElementTree method write() and function
tostring() now use the text file's encoding ('UTF-8' if not
available) instead of locale encoding in XML declaration
when encoding='unicode' is specified.
- gh-91832: Add required attribute to argparse.Action repr
output.
- gh-91700: Compilation of regular expression containing
a conditional expression (?(group)...) now raises an
appropriate re.error if the group number refers to not
defined group. Previously an internal RuntimeError was
raised.
- gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown
the per test event loop executor before returning from its
run method so that a not yet stopped or garbage collected
executor state does not persist beyond the test.
- gh-90568: Parsing \N escapes of Unicode Named Character
Sequences in a regular expression raises now re.error
instead of TypeError.
- gh-91595: Fix the comparison of character and integer
inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
- gh-90622: Worker processes for
concurrent.futures.ProcessPoolExecutor are no longer
spawned on demand (a feature added in 3.9) when the
multiprocessing context start method is 'fork' as that can
lead to deadlocks in the child processes due to a fork
happening while threads are running.
- gh-91575: Update case-insensitive matching in the re module
to the latest Unicode version.
- gh-91581: Remove an unhandled error case in the
C implementation of calls to datetime.fromtimestamp with no
time zone (i.e. getting a local time from an epoch
timestamp). This should have no user-facing effect other
than giving a possibly more accurate error message when
called with timestamps that fall on 10000-01-01 in the
local time. Patch by Paul Ganssle.
- bpo-47260: Fix os.closerange() potentially being a no-op in
a Linux seccomp sandbox.
- bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile
instead of ValueError when reading a corrupt zip file in
which the central directory offset is negative.
- bpo-47151: When subprocess tries to use vfork, it now falls
back to fork if vfork returns an error. This allows use in
situations where vfork isn't allowed by the OS kernel.
- bpo-27929: Fix asyncio.loop.sock_connect() to only resolve
names for socket.AF_INET or socket.AF_INET6 families.
Resolution may not make sense for other families, like
socket.AF_BLUETOOTH and socket.AF_UNIX.
- bpo-43323: Fix errors in the email module if the charset
itself contains undecodable/unencodable characters.
- bpo-47101: hashlib.algorithms_available now lists only
algorithms that are provided by activated crypto providers
on OpenSSL 3.0. Legacy algorithms are not listed unless the
legacy provider has been loaded into the default OSSL
context.
- bpo-46787: Fix concurrent.futures.ProcessPoolExecutor
exception memory leak
- bpo-45393: Fix the formatting for await x and not x in the
operator precedence table when using the help() system.
- bpo-46415: Fix ipaddress.ip_{address,interface,network}
raising TypeError instead of ValueError if given invalid
tuple as address parameter.
- bpo-28249: Set doctest.DocTest.lineno to None when object
does not have __doc__.
- bpo-45138: Fix a regression in the sqlite3 trace callback
where bound parameters were not expanded in the passed
statement string. The regression was introduced in Python
3.10 by bpo-40318. Patch by Erlend E. Aasland.
- bpo-44493: Add missing terminated NUL in sockaddr_un's
length
- This was potentially observable when using non-abstract
AF_UNIX datagram sockets to processes written in another
programming language.
- bpo-42627: Fix incorrect parsing of Windows registry proxy
settings
- bpo-36073: Raise ProgrammingError instead of segfaulting on
recursive usage of cursors in sqlite3 converters. Patch by
Sergey Fedoseev.
- Documentation
- gh-86438: Clarify that -W and PYTHONWARNINGS are matched
literally and case-insensitively, rather than as regular
expressions, in warnings.
- gh-92240: Added release dates for 'What's New in Python
3.X' for 3.0, 3.1, 3.2, 3.8 and 3.10
- gh-91888: Add a new gh role to the documentation to link to
GitHub issues.
- gh-91783: Document security issues concerning the use of
the function shutil.unpack_archive()
- gh-91547: Remove 'Undocumented modules' page.
- bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
shutil.copytree().
- bpo-38668: Update the introduction to documentation for
os.path to remove warnings that became irrelevant after the
implementations of PEP 383 and PEP 529.
- bpo-47138: Pin Jinja to a version compatible with Sphinx
version 3.2.1.
- bpo-46962: All docstrings in code snippets are now wrapped
into PyDoc_STR() to follow the guideline of PEP 7's
Documentation Strings paragraph. Patch by Oleg Iarygin.
- bpo-26792: Improve the docstrings of runpy.run_module() and
runpy.run_path(). Original patch by Andrew Brezovsky.
- bpo-40838: Document that inspect.getdoc(),
inspect.getmodule(), and inspect.getsourcefile() might
return None.
- bpo-45790: Adjust inaccurate phrasing in Defining Extension
Types: Tutorial about the ob_base field and the macros used
to access its contents.
- bpo-42340: Document that in some circumstances
KeyboardInterrupt may cause the code to enter an
inconsistent state. Provided a sample workaround to avoid
it if needed.
- bpo-41233: Link the errnos referenced in
Doc/library/exceptions.rst to their respective section in
Doc/library/errno.rst, and vice versa. Previously this was
only done for EINTR and InterruptedError. Patch by Yan
'yyyyyyyan' Orestes.
- bpo-38056: Overhaul the Error Handlers documentation in
codecs.
- bpo-13553: Document tkinter.Tk args.
- Tests
- gh-92886: Fixing tests that fail when running with
optimizations (-O) in test_imaplib.py.
- gh-92670: Skip
test_shutil.TestCopy.test_copyfile_nonexistent_dir test on
AIX as the test uses a trailing slash to force the OS
consider the path as a directory, but on AIX the trailing
slash has no effect and is considered as a file.
- gh-91904: Fix initialization of
PYTHONREGRTEST_UNICODE_GUARD which prevented running
regression tests on non-UTF-8 locale.
- gh-91607: Fix test_concurrent_futures to test the correct
multiprocessing start method context in several cases where
the test logic mixed this up.
- bpo-47205: Skip test for sched_getaffinity() and
sched_setaffinity() error case on FreeBSD.
- bpo-47104: Rewrite asyncio.to_thread() tests to use
unittest.IsolatedAsyncioTestCase.
- bpo-29890: Add tests for ipaddress.IPv4Interface and
ipaddress.IPv6Interface construction with tuple arguments.
Original patch and tests by louisom.
- Tools/Demos
- gh-91583: Fix regression in the code generated by Argument
Clinic for functions with the defining_class parameter.
- Update to 3.10.4:
- bpo-46968: Check for the existence of the 'sys/auxv.h' header
in faulthandler to avoid compilation problems in systems
where this header doesn't exist. Patch by Pablo Galindo
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a 'zipfile.BadZipFile: Bad CRC-32 for file' exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib'c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation and
deprecation warnings and have now been updated to note they
will removed in Python 3.12 (PEP 594).
- bpo-46421: Fix a unittest issue where if the command was
invoked as python -m unittest and the filename(s) began with
a dot (.), a ValueError is returned.
- bpo-40296: Fix supporting generic aliases in pydoc.
- Update to 3.10.3:
- bpo-46940: Avoid overriding AttributeError metadata
information for nested attribute access calls. Patch by Pablo
Galindo.
- bpo-46852: Rename the private undocumented
float.__set_format__() method to float.__setformat__() to fix
a typo introduced in Python 3.7. The method is only used by
test_float. Patch by Victor Stinner.
- bpo-46794: Bump up the libexpat version into 2.4.6
- bpo-46820: Fix parsing a numeric literal immediately (without
spaces) followed by 'not in' keywords, like in 1not in x. Now
the parser only emits a warning, not a syntax error.
- bpo-46762: Fix an assert failure in debug builds when a '<',
'>', or '=' is the last character in an f-string that's
missing a closing right brace.
- bpo-46724: Make sure that all backwards jumps use the
JUMP_ABSOLUTE instruction, rather than JUMP_FORWARD with an
argument of (2**32)+offset.
- bpo-46732: Correct the docstring for the __bool__() method.
Patch by Jelle Zijlstra.
- bpo-46707: Avoid potential exponential backtracking when
producing some syntax errors involving lots of brackets.
Patch by Pablo Galindo.
- bpo-40479: Add a missing call to va_end() in
Modules/_hashopenssl.c.
- bpo-46615: When iterating over sets internally in
setobject.c, acquire strong references to the resulting items
from the set. This prevents crashes in corner-cases of
various set operations where the set gets mutated.
- bpo-45773: Remove two invalid 'peephole' optimizations from
the bytecode compiler.
- bpo-43721: Fix docstrings of getter, setter, and deleter to
clarify that they create a new copy of the property.
- bpo-46503: Fix an assert when parsing some invalid N escape
sequences in f-strings.
- bpo-46417: Fix a race condition on setting a type __bases__
attribute: the internal function add_subclass() now gets the
PyTypeObject.tp_subclasses member after calling
PyWeakref_NewRef() which can trigger a garbage collection
which can indirectly modify PyTypeObject.tp_subclasses. Patch
by Victor Stinner.
- bpo-46383: Fix invalid signature of _zoneinfo's module_free
function to resolve a crash on wasm32-emscripten platform.
- bpo-46070: Py_EndInterpreter() now explicitly untracks all
objects currently tracked by the GC. Previously, if an object
was used later by another interpreter, calling
PyObject_GC_UnTrack() on the object crashed if the previous
or the next object of the PyGC_Head structure became
a dangling pointer. Patch by Victor Stinner.
- bpo-46339: Fix a crash in the parser when retrieving the
error text for multi-line f-strings expressions that do not
start in the first line of the string. Patch by Pablo Galindo
- bpo-46240: Correct the error message for unclosed parentheses
when the tokenizer doesn't reach the end of the source when
the error is reported. Patch by Pablo Galindo
- bpo-46091: Correctly calculate indentation levels for lines
with whitespace character that are ended by line continuation
characters. Patch by Pablo Galindo
- bpo-43253: Fix a crash when closing transports where the
underlying socket handle is already invalid on the Proactor
event loop.
- bpo-47004: Apply bugfixes from importlib_metadata 4.11.3,
including bugfix for EntryPoint.extras, which was returning
match objects and not the extras strings.
- bpo-46985: Upgrade pip wheel bundled with ensurepip (pip
22.0.4)
- bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically
determine size of signal handler stack size CPython allocates
using getauxval(AT_MINSIGSTKSZ). This changes allows for
Python extension's request to Linux kernel to use AMX_TILE
instruction set on Sapphire Rapids Xeon processor to succeed,
unblocking use of the ISA in frameworks.
- bpo-46955: Expose asyncio.base_events.Server as
asyncio.Server. Patch by Stefan Zabka.
- bpo-23325: The signal module no longer assumes that SIG_IGN
and SIG_DFL are small int singletons.
- bpo-46932: Update bundled libexpat to 2.4.7
- bpo-25707: Fixed a file leak in
xml.etree.ElementTree.iterparse() when the iterator is not
exhausted. Patch by Jacob Walls.
- bpo-44886: Inherit asyncio proactor datagram transport from
asyncio.DatagramTransport.
- bpo-46827: Support UDP sockets in asyncio.loop.sock_connect()
for selector-based event loops. Patch by Thomas Grainger.
- bpo-46811: Make test suite support Expat >=2.4.5
- bpo-46252: Raise TypeError if ssl.SSLSocket is passed to
transport-based APIs.
- bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
- bpo-39327: shutil.rmtree() can now work with VirtualBox
shared folders when running from the guest operating-system.
- bpo-46756: Fix a bug in
urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated()
which allowed to bypass authorization. For example, access to
URI example.org/foobar was allowed if the user was authorized
for URI example.org/foo.
- bpo-46643: In typing.get_type_hints(), support evaluating
stringified ParamSpecArgs and ParamSpecKwargs annotations.
Patch by Gregory Beauregard.
- bpo-45863: When the tarfile module creates a pax format
archive, it will put an integer representation of timestamps
in the ustar header (if possible) for the benefit of older
unarchivers, in addition to the existing full-precision
timestamps in the pax extended header.
- bpo-46676: Make typing.ParamSpec args and kwargs equal to
themselves. Patch by Gregory Beauregard.
- bpo-46672: Fix NameError in asyncio.gather() when initial
type check fails.
- bpo-46655: In typing.get_type_hints(), support evaluating
bare stringified TypeAlias annotations. Patch by Gregory
Beauregard.
- bpo-45948: Fixed a discrepancy in the C implementation of the
xml.etree.ElementTree module. Now, instantiating an
xml.etree.ElementTree.XMLParser with a target=None keyword
provides a default xml.etree.ElementTree.TreeBuilder target
as the Python implementation does.
- bpo-46521: Fix a bug in the codeop module that was
incorrectly identifying invalid code involving string quotes
as valid code.
- bpo-46581: Brings ParamSpec propagation for GenericAlias in
line with Concatenate (and others).
- bpo-46591: Make the IDLE doc URL on the About IDLE dialog
clickable.
- bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
- bpo-46487: Add the get_write_buffer_limits method to
asyncio.transports.WriteTransport and to the SSL transport.
- bpo-45173: Note the configparser deprecations will be removed
in Python 3.12.
- bpo-46539: In typing.get_type_hints(), support evaluating
stringified ClassVar and Final annotations inside Annotated.
Patch by Gregory Beauregard.
- bpo-46491: Allow typing.Annotated to wrap typing.Final and
typing.ClassVar. Patch by Gregory Beauregard.
- bpo-46436: Fix command-line option -d/--directory in module
http.server which is ignored when combined with command-line
option --cgi. Patch by Géry Ogam.
- bpo-41403: Make mock.patch() raise a TypeError with
a relevant error message on invalid arg. Previously it
allowed a cryptic AttributeError to escape.
- bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
- bpo-46469: asyncio generic classes now return
types.GenericAlias in __class_getitem__ instead of the same
class.
- bpo-46434: pdb now gracefully handles help when __doc__ is
missing, for example when run with pregenerated optimized
.pyc files.
- bpo-46333: The __eq__() and __hash__() methods of
typing.ForwardRef now honor the module parameter of
typing.ForwardRef. Forward references from different modules
are now differentiated.
- bpo-46246: Add missing __slots__ to
importlib.metadata.DeprecatedList. Patch by Arie Bovenberg.
- bpo-46266: Improve day constants in calendar.
- Now all constants (MONDAY ... SUNDAY) are documented, tested,
and added to __all__.
- bpo-46232: The ssl module now handles certificates with bit
strings in DN correctly.
- bpo-43118: Fix a bug in inspect.signature() that was causing
it to fail on some subclasses of classes with
a __text_signature__ referencing module globals. Patch by
Weipeng Hong.
- bpo-26552: Fixed case where failing asyncio.ensure_future()
did not close the coroutine. Patch by Kumar Aditya.
- bpo-21987: Fix an issue with tarfile.TarFile.getmember()
getting a directory name with a trailing slash.
- bpo-20392: Fix inconsistency with uppercase file extensions
in MimeTypes.guess_type(). Patch by Kumar Aditya.
- bpo-46080: Fix exception in argparse help text generation if
a argparse.BooleanOptionalAction argument's default is
argparse.SUPPRESS and it has help specified. Patch by Felix
Fontein.
- bpo-44439: Fix .write() method of a member file in ZipFile,
when the input data is an object that supports the buffer
protocol, the file length may be wrong.
- bpo-45703: When a namespace package is imported before
another module from the same namespace is created/installed
in a different sys.path location while the program is
running, calling the importlib.invalidate_caches() function
will now also guarantee the new module is noticed.
- bpo-24959: Fix bug where unittest sometimes drops frames from
tracebacks of exceptions raised in tests.
- bpo-44791: Fix substitution of ParamSpec in Concatenate with
different parameter expressions. Substitution with a list of
types returns now a tuple of types. Substitution with
Concatenate returns now a Concatenate with concatenated lists
of arguments.
- bpo-14156: argparse.FileType now supports an argument of '-'
in binary mode, returning the .buffer attribute of
sys.stdin/sys.stdout as appropriate. Modes including 'x' and
'a' are treated equivalently to 'w' when argument is '-'.
Patch contributed by Josh Rosenberg
- bpo-46463: Fixes escape4chm.py script used when building the
CHM documentation file
- bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is
built with undefined behavior sanitizer (UBSAN): disable
UBSAN on the faulthandler_sigfpe() function. Patch by Victor
Stinner.
- bpo-46708: Prevent default asyncio event loop policy
modification warning after test_asyncio execution.
- bpo-46678: The function make_legacy_pyc in
Lib/test/support/import_helper.py no longer fails when
PYTHONPYCACHEPREFIX is set to a directory on a different
device from where tempfiles are stored.
- bpo-46616: Ensures test_importlib.test_windows cleans up
registry keys after completion.
- bpo-44359: test_ftplib now silently ignores socket errors to
prevent logging unhandled threading exceptions. Patch by
Victor Stinner.
- bpo-46542: Fix a Python crash in test_lib2to3 when using
Python built in debug mode: limit the recursion limit. Patch
by Victor Stinner.
- bpo-46576: test_peg_generator now disables compiler
optimization when testing compilation of its own C extensions
to significantly speed up the testing on non-debug builds of
CPython.
- bpo-46542: Fix test_json tests checking for RecursionError:
modify these tests to use support.infinite_recursion(). Patch
by Victor Stinner.
- bpo-13886: Skip test_builtin PTY tests on non-ASCII
characters if the readline module is loaded. The readline
module changes input() behavior, but test_builtin is not
intented to test the readline module. Patch by Victor
Stinner.
- bpo-38472: Fix GCC detection in setup.py when
cross-compiling. The C compiler is now run with LC_ALL=C.
Previously, the detection failed with a German locale.
- bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro
and pyconfig.h no longer defines reserved symbol
__CHAR_UNSIGNED__.
- bpo-45296: Clarify close, quit, and exit in IDLE. In the File
menu, 'Close' and 'Exit' are now 'Close Window' (the current
one) and 'Exit' is now 'Exit IDLE' (by closing all windows).
In Shell, 'quit()' and 'exit()' mean 'close Shell'. If there
are no other windows, this also exits IDLE.
- bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch
by Alex Waygood and Terry Jan Reedy.
- bpo-46433: The internal function _PyType_GetModuleByDef now
correctly handles inheritance patterns involving static
types.
- bpo-14916: Fixed bug in the tokenizer that prevented
PyRun_InteractiveOne from parsing from the provided FD.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2294-1
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2305-1
Released: Wed Jul 6 13:38:42 2022
Summary: Security update for curl
Type: security
Severity: important
References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
This update for curl fixes the following issues:
- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2308-1
Released: Wed Jul 6 14:15:13 2022
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1185637,1199166,1200550,1201099,CVE-2022-1292,CVE-2022-2068,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).
The following package changes have been done:
- libopenssl1_1-1.1.1l-150400.7.7.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.7.1 updated
- libcurl4-7.79.1-150400.5.3.1 updated
- openssl-1_1-1.1.1l-150400.7.7.1 updated
- curl-7.79.1-150400.5.3.1 updated
- libexpat1-2.4.4-150400.3.6.9 updated
- libpython3_10-1_0-3.10.5-150400.4.7.1 updated
- python310-base-3.10.5-150400.4.7.1 updated
- python310-3.10.5-150400.4.7.1 updated
- container:sles15-image-15.0.0-27.8.3 updated
More information about the sle-security-updates
mailing list