SUSE-SU-2023:0707-1: important: Security update for python39

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Mar 10 16:30:09 UTC 2023



# Security update for python39

Announcement ID: SUSE-SU-2023:0707-1  
Rating: important  
References:

  * #1208471

  
Cross-References:

  * CVE-2015-20107
  * CVE-2022-37454
  * CVE-2022-42919
  * CVE-2022-45061
  * CVE-2023-24329

  
CVSS scores:

  * CVE-2015-20107 ( SUSE ):  7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
  * CVE-2015-20107 ( NVD ):  7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
  * CVE-2022-37454 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-37454 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-42919 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-42919 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-45061 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2022-45061 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-24329 ( SUSE ):  7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
  * CVE-2023-24329 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * openSUSE Leap 15.4
  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise Real Time 15 SP3
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Manager Proxy 4.2
  * SUSE Manager Retail Branch Server 4.2
  * SUSE Manager Server 4.2

  
  
An update that solves five vulnerabilities can now be installed.

## Description:

This update for python39 fixes the following issues:

  * CVE-2023-24329: Fixed blocklists bypass via the urllib.parse component when
    supplying a URL that starts with blank characters (bsc#1208471).

Update to 3.9.16: \- python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message
method to replace control characters with a \xHH hex escape before printing. \-
Avoid publishing list of active per-interpreter audit hooks via the gc module \-
The IDNA codec decoder used on DNS hostnames by socket or asyncio related name
resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname
involving bidirectional characters were decoded. Some protocols such as urllib
http 3xx redirects potentially allow for an attacker to supply such a name
(CVE-2015-20107). \- Update bundled libexpat to 2.5.0 \- Port XKCP’s fix for the
buffer overflows in SHA-3 (CVE-2022-37454). \- On Linux the multiprocessing
module returns to using filesystem backed unix domain sockets for communication
with the forkserver process instead of the Linux abstract socket namespace. Only
code that chooses to use the “forkserver” start method is affected. Abstract
sockets have no permissions and could allow any user on the system in the same
network namespace (often the whole system) to inject code into the
multiprocessing forkserver process. This was a potential privilege escalation.
Filesystem based socket permissions restrict this to the forkserver process user
as was the default in Python 3.8 and earlier. This prevents Linux
CVE-2022-42919. \- The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell commands. Instead of using
such text, it will warn and act as if a match was not found (or for test
commands, as if the test failed).

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-707=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-707=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-707=1

  * SUSE Linux Enterprise Real Time 15 SP3  
    zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-707=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-707=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-707=1

  * SUSE Manager Proxy 4.2  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-707=1

  * SUSE Manager Retail Branch Server 4.2  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.2-2023-707=1

  * SUSE Manager Server 4.2  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-707=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2023-707=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    * python39-devel-3.9.16-150300.4.24.1
    * python39-testsuite-debuginfo-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-doc-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-testsuite-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-doc-devhelp-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
  * openSUSE Leap 15.4 (x86_64)
    * python39-32bit-debuginfo-3.9.16-150300.4.24.1
    * python39-base-32bit-3.9.16-150300.4.24.1
    * libpython3_9-1_0-32bit-3.9.16-150300.4.24.1
    * python39-32bit-3.9.16-150300.4.24.1
    * libpython3_9-1_0-32bit-debuginfo-3.9.16-150300.4.24.1
    * python39-base-32bit-debuginfo-3.9.16-150300.4.24.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64
    x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
    x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x
    x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Manager Proxy 4.2 (x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Manager Retail Branch Server 4.2 (x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Manager Server 4.2 (ppc64le s390x x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1
  * SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    * python39-core-debugsource-3.9.16-150300.4.24.1
    * python39-debugsource-3.9.16-150300.4.24.1
    * python39-devel-3.9.16-150300.4.24.1
    * python39-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-3.9.16-150300.4.24.1
    * python39-idle-3.9.16-150300.4.24.1
    * python39-3.9.16-150300.4.24.1
    * python39-base-3.9.16-150300.4.24.1
    * libpython3_9-1_0-3.9.16-150300.4.24.1
    * python39-curses-debuginfo-3.9.16-150300.4.24.1
    * python39-dbm-3.9.16-150300.4.24.1
    * python39-curses-3.9.16-150300.4.24.1
    * python39-tools-3.9.16-150300.4.24.1
    * python39-dbm-debuginfo-3.9.16-150300.4.24.1
    * python39-base-debuginfo-3.9.16-150300.4.24.1
    * python39-tk-debuginfo-3.9.16-150300.4.24.1
    * libpython3_9-1_0-debuginfo-3.9.16-150300.4.24.1

## References:

  * https://www.suse.com/security/cve/CVE-2015-20107.html
  * https://www.suse.com/security/cve/CVE-2022-37454.html
  * https://www.suse.com/security/cve/CVE-2022-42919.html
  * https://www.suse.com/security/cve/CVE-2022-45061.html
  * https://www.suse.com/security/cve/CVE-2023-24329.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1208471

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230310/4f2feacf/attachment.htm>


More information about the sle-security-updates mailing list