SUSE-SU-2023:0748-1: important: Security update for python310

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Mar 15 20:30:04 UTC 2023



# Security update for python310

Announcement ID: SUSE-SU-2023:0748-1  
Rating: important  
References:

  * #1208471
  * #831629

  
Cross-References:

  * CVE-2015-20107
  * CVE-2022-37454
  * CVE-2022-42919
  * CVE-2022-45061
  * CVE-2023-24329

  
CVSS scores:

  * CVE-2015-20107 ( SUSE ):  7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
  * CVE-2015-20107 ( NVD ):  7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
  * CVE-2022-37454 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-37454 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-42919 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-42919 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-45061 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2022-45061 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-24329 ( SUSE ):  7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
  * CVE-2023-24329 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * openSUSE Leap 15.4
  * Python 3 Module 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Manager Proxy 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3

  
  
An update that solves five vulnerabilities can now be installed.

## Description:

This update for python310 fixes the following issues:

  * CVE-2023-24329: Fixed blocklist bypass via the urllib.parse component when
    supplying a URL that starts with blank characters (bsc#1208471).

Update to 3.10.10:

  * Add provides for readline and sqlite3 to the main Python package.
  * Disable NIS for new products, it's deprecated and gets removed

Update to 3.10.9:

  * python -m http.server no longer allows terminal control characters sent
    within a garbage request to be printed to the stderr server lo This is done
    by changing the http.server BaseHTTPRequestHandler .log_message method to
    replace control characters with a \xHH hex escape before printin
  * Avoid publishing list of active per-interpreter audit hooks via the gc
    module
  * The IDNA codec decoder used on DNS hostnames by socket or asyncio related
    name resolution functions no longer involves a quadratic algorithm. This
    prevents a potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were decoded. Some
    protocols such as urllib http 3xx redirects potentially allow for an
    attacker to supply such a name.
  * Update bundled libexpat to 2.5.0
  * Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).
  * On Linux the multiprocessing module returns to using filesystem backed unix
    domain sockets for communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses to use the
    “forkserver” start method is affected Abstract sockets have no permissions
    and could allow any user on the system in the same network namespace (often
    the whole system) to inject code into the multiprocessing forkserver
    process. This was a potential privilege escalation. Filesystem based socket
    permissions restrict this to the forkserver process user as was the default
    in Python 3.8 and earlier This prevents Linux CVE-2022-42919
  * Fix a reference bug in _imp.create_builtin() after the creation of the first
    sub-interpreter for modules builtins and sys. Patch by Victor Stinner.
  * Fixed a bug that was causing a buffer overflow if the tokenizer copies a
    line missing the newline caracter from a file that is as long as the
    available tokenizer buffer. Patch by Pablo galindo
  * Update faulthandler to emit an error message with the proper unexpected
    signal number. Patch by Dong-hee Na.
  * Fix subscription of types.GenericAlias instances containing bare generic
    types: for example tuple[A, T][int], where A is a generic type, and T is a
    type variable.
  * Fix detection of MAC addresses for uuid on certain OSs. Patch by Chaim
    Sanders
  * Print exception class name instead of its string representation when raising
    errors from ctypes calls.
  * Allow pdb to locate source for frozen modules in the standard library.
  * Raise ValueError instead of SystemError when methods of uninitialized
    io.IncrementalNewlineDecoder objects are called. Patch by Oren Milman.
  * Fix a possible assertion failure in io.FileIO when the opener returns an
    invalid file descriptor.
  * Also escape s in the http.server BaseHTTPRequestHandler.log_message so that
    it is technically possible to parse the line and reconstruct what the
    original data was. Without this a xHH is ambiguious as to if it is a hex
    replacement we put in or the characters r”x” came through in the original
    request line.
  * asyncio.get_event_loop() now only emits a deprecation warning when a new
    event loop was created implicitly. It no longer emits a deprecation warning
    if the current event loop was set.
  * Fix bug when calling trace.CoverageResults with valid infile.
  * Fix a bug in handling class cleanups in unittest.TestCase. Now
    addClassCleanup() uses separate lists for different TestCase subclasses, and
    doClassCleanups() only cleans up the particular class.
  * Release the GIL when calling termios APIs to avoid blocking threads.
  * Fix ast.increment_lineno() to also cover ast.TypeIgnore when changing line
    numbers.
  * Fixed bug where inspect.signature() reported incorrect arguments for
    decorated methods.
  * Fix SystemError in ctypes when exception was not set during
    **initsubclass**.
  * Fix statistics.NormalDist pickle with 0 and 1 protocols.
  * Update the bundled copy of pip to version 22.3.1.
  * Apply bugfixes from importlib_metadata 4.11.4, namely: In
    PathDistribution._name_from_stem, avoid including parts of the extension in
    the result. In PathDistribution._normalized_name, ensure names loaded from
    the stem of the filename are also normalized, ensuring duplicate entry
    points by packages varying only by non-normalized name are hidden.
  * Clean up refleak on failed module initialisation in _zoneinfo
  * Clean up refleaks on failed module initialisation in in _pickle
  * Clean up refleak on failed module initialisation in _io.
  * Fix memory leak in math.dist() when both points don’t have the same
    dimension. Patch by Kumar Aditya.
  * Fix argument typechecks in _overlapped.WSAConnect() and
    _overlapped.Overlapped.WSASendTo() functions.
  * Fix internal error in the re module which in very rare circumstances
    prevented compilation of a regular expression containing a conditional
    expression without the “else” branch.
  * Fix asyncio.StreamWriter.drain() to call protocol.connection_lost callback
    only once on Windows.
  * Add a mutex to unittest.mock.NonCallableMock to protect concurrent access to
    mock attributes.
  * Fix hang on Windows in subprocess.wait_closed() in asyncio with
    ProactorEventLoop. Patch by Kumar Aditya.
  * Fix infinite loop in unittest when a self-referencing chained exception is
    raised
  * tkinter.Text.count() raises now an exception for options starting with “-”
    instead of silently ignoring them.
  * On uname_result, restored expectation that _fields and _asdict would include
    all six properties including processor.
  * Update the bundled copies of pip and setuptools to versions 22.3 and 65.5.0
    respectively.
  * Fix bug in urllib.parse.urlparse() that causes certain port numbers
    containing whitespace, underscores, plus and minus signs, or non-ASCII
    digits to be incorrectly accepted.
  * Allow venv to pass along PYTHON* variables to ensurepip and pip when they do
    not impact path resolution
  * On macOS, fix a crash in syslog.syslog() in multi-threaded applications. On
    macOS, the libc syslog() function is not thread-safe, so syslog.syslog() no
    longer releases the GIL to call it. Patch by Victor Stinner.
  * Allow BUILTINS to be a valid field name for frozen dataclasses.
  * Make sure patch.dict() can be applied on async functions.
  * To avoid apparent memory leaks when asyncio.open_connection() raises, break
    reference cycles generated by local exception and future instances (which
    has exception instance as its member var). Patch by Dong Uk, Kang.
  * Prevent error when activating venv in nested fish instances.
  * Restrict use of sockets instead of pipes for stdin of subprocesses created
    by asyncio to AIX platform only.
  * shutil.copytree() now applies the ignore_dangling_symlinks argument
    recursively.
  * Fix IndexError in argparse.ArgumentParser when a store_true action is given
    an explicit argument.
  * Document that calling variadic functions with ctypes requires special care
    on macOS/arm64 (and possibly other platforms).
  * Skip test_normalization() of test_unicodedata if it fails to download
    NormalizationTest.txt file from pythontest.net. Patch by Victor Stinner.
  * Some C API tests were moved into the new Lib/test/test_capi/ directory.
  * Fix -Wimplicit-int, -Wstrict-prototypes, and -Wimplicit-function-declaration
    compiler warnings in configure checks.
  * Fix -Wimplicit-int compiler warning in configure check for
    PTHREAD_SCOPE_SYSTEM.
  * Specify the full path to the source location for make docclean (needed for
    cross-builds).
  * Fix NO_MISALIGNED_ACCESSES being not defined for the SHA3 extension when
    HAVE_ALIGNED_REQUIRED is set. Allowing builds on hardware that unaligned
    memory accesses are not allowed.
  * Fix handling of module docstrings in Tools/i18n/pygettext.py.

  * Add invalid-json.patch fixing invalid JSON in Doc/howto/logging-cookbook.rst
    (somehow similar to gh#python/cpython#102582).

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-748=1

  * Python 3 Module 15-SP4  
    zypper in -t patch SUSE-SLE-Module-Python3-15-SP4-2023-748=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    * python310-curses-debuginfo-3.10.10-150400.4.22.1
    * python310-testsuite-debuginfo-3.10.10-150400.4.22.1
    * python310-tk-3.10.10-150400.4.22.1
    * python310-debugsource-3.10.10-150400.4.22.1
    * python310-base-debuginfo-3.10.10-150400.4.22.1
    * python310-debuginfo-3.10.10-150400.4.22.1
    * python310-doc-3.10.10-150400.4.22.1
    * python310-testsuite-3.10.10-150400.4.22.1
    * python310-tk-debuginfo-3.10.10-150400.4.22.1
    * libpython3_10-1_0-debuginfo-3.10.10-150400.4.22.1
    * python310-tools-3.10.10-150400.4.22.1
    * python310-curses-3.10.10-150400.4.22.1
    * python310-devel-3.10.10-150400.4.22.1
    * python310-base-3.10.10-150400.4.22.1
    * python310-idle-3.10.10-150400.4.22.1
    * python310-3.10.10-150400.4.22.1
    * libpython3_10-1_0-3.10.10-150400.4.22.1
    * python310-dbm-debuginfo-3.10.10-150400.4.22.1
    * python310-dbm-3.10.10-150400.4.22.1
    * python310-core-debugsource-3.10.10-150400.4.22.1
    * python310-doc-devhelp-3.10.10-150400.4.22.1
  * openSUSE Leap 15.4 (x86_64)
    * python310-32bit-3.10.10-150400.4.22.1
    * python310-base-32bit-debuginfo-3.10.10-150400.4.22.1
    * python310-32bit-debuginfo-3.10.10-150400.4.22.1
    * python310-base-32bit-3.10.10-150400.4.22.1
    * libpython3_10-1_0-32bit-debuginfo-3.10.10-150400.4.22.1
    * libpython3_10-1_0-32bit-3.10.10-150400.4.22.1
  * Python 3 Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    * python310-curses-debuginfo-3.10.10-150400.4.22.1
    * python310-dbm-3.10.10-150400.4.22.1
    * python310-devel-3.10.10-150400.4.22.1
    * python310-base-3.10.10-150400.4.22.1
    * python310-idle-3.10.10-150400.4.22.1
    * python310-tk-debuginfo-3.10.10-150400.4.22.1
    * python310-3.10.10-150400.4.22.1
    * python310-tk-3.10.10-150400.4.22.1
    * libpython3_10-1_0-debuginfo-3.10.10-150400.4.22.1
    * libpython3_10-1_0-3.10.10-150400.4.22.1
    * python310-core-debugsource-3.10.10-150400.4.22.1
    * python310-debugsource-3.10.10-150400.4.22.1
    * python310-tools-3.10.10-150400.4.22.1
    * python310-base-debuginfo-3.10.10-150400.4.22.1
    * python310-curses-3.10.10-150400.4.22.1
    * python310-dbm-debuginfo-3.10.10-150400.4.22.1
    * python310-debuginfo-3.10.10-150400.4.22.1

## References:

  * https://www.suse.com/security/cve/CVE-2015-20107.html
  * https://www.suse.com/security/cve/CVE-2022-37454.html
  * https://www.suse.com/security/cve/CVE-2022-42919.html
  * https://www.suse.com/security/cve/CVE-2022-45061.html
  * https://www.suse.com/security/cve/CVE-2023-24329.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1208471
  * https://bugzilla.suse.com/show_bug.cgi?id=831629

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230315/29fda43c/attachment.htm>


More information about the sle-security-updates mailing list