SUSE-SU-2023:2783-2: important: Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Sep 20 08:30:22 UTC 2023
# Security update for grpc, protobuf, python-Deprecated, python-PyGithub,
python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-
cryptography-vectors, python-google-api-core, pyt
Announcement ID: SUSE-SU-2023:2783-2
Rating: important
References:
* #1099269
* #1133277
* #1144068
* #1162343
* #1177127
* #1178168
* #1182066
* #1184753
* #1194530
* #1197726
* #1198331
* #1199282
* #1203681
* #1204256
* PM-3243
* SLE-24629
Cross-References:
* CVE-2018-1000518
* CVE-2020-25659
* CVE-2020-36242
* CVE-2021-22569
* CVE-2021-22570
* CVE-2022-1941
* CVE-2022-3171
CVSS scores:
* CVE-2018-1000518 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2018-1000518 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2020-25659 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2020-25659 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2020-36242 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2020-36242 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2021-22569 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2021-22569 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2021-22570 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2021-22570 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-1941 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-1941 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-1941 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-1941 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-3171 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-3171 ( NVD ): 4.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Linux Enterprise High Performance Computing 15 SP1
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
An update that solves seven vulnerabilities, contains two features and has seven
security fixes can now be installed.
## Description:
This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-
aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-
cryptography-vectors, python-google-api-core, python-googleapis-common-protos,
python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-
opencensus, python-opencensus-context, python-opencensus-ext-threading, python-
opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests,
python-websocket-client, python-websockets fixes the following issues:
grpc: \- Update in SLE-15 (bsc#1197726, bsc#1144068)
protobuf: \- Fix a potential DoS issue in protobuf-cpp and protobuf-python,
CVE-2022-1941, bsc#1203681 \- Fix a potential DoS issue when parsing with binary
data in protobuf-java, CVE-2022-3171, bsc#1204256 \- Fix potential Denial of
Service in protobuf-java in the parsing procedure for binary data,
CVE-2021-22569, bsc#1194530 \- Add missing dependency of python subpackages on
python-six (bsc#1177127) \- Updated to version 3.9.2 (bsc#1162343) * Remove
OSReadLittle* due to alignment requirements. * Don't use unions and instead use
memcpy for the type swaps. \- Disable LTO (bsc#1133277)
python-aiocontextvars:
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-avro: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \-
Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-cryptography:
\- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331) * SECURITY ISSUE:
Fixed a bug where certain sequences of update() calls when symmetrically
encrypting very large payloads (>2GB) could result in an integer overflow,
leading to buffer overflows. CVE-2020-36242
python-cryptography-vectors: \- update to 3.2 (bsc#1178168, CVE-2020-25659): *
CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by
our API, we cannot completely mitigate this vulnerability. * Support for OpenSSL
1.0.2 has been removed. * Added basic support for PKCS7 signing (including
SMIME) via PKCS7SignatureBuilder. \- update to 3.3.2 (bsc#1198331)
python-Deprecated: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- update to 1.2.13:
python-google-api-core: \- Update to 1.14.2
python-googleapis-common-protos: \- Update to 1.6.0
python-grpcio-gcp: \- Initial spec for v0.2.2
python-humanfriendly: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Update to 10.0
python-jsondiff: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
\- Update to version 1.3.0
python-knack:
\- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Update to
version 0.9.0
python-opencensus: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Disable Python2 build \- Update to 0.8.0
python-opencensus-context:
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-opencensus-ext-threading:
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Initial build
version 0.1.2
python-opentelemetry-api: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Version update to 1.5.0
python-psutil: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \-
update to 5.9.1 \- remove the dependency on net-tools, since it conflicts with
busybox-hostnmame which is default on MicroOS. (bsc#1184753) \- Include in
SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-PyGithub: \- Update to 1.43.5:
python-pytest-asyncio:
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Initial
release of python-pytest-asyncio 0.8.0
python-requests: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
python-websocket-client: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Update to version 1.3.2
python-websockets: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- update to 9.1:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2783=1
## Package List:
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
x86_64)
* python-cryptography-debugsource-3.3.2-150100.7.15.3
* python3-cryptography-debuginfo-3.3.2-150100.7.15.3
* python3-psutil-debuginfo-5.9.1-150100.6.6.3
* libprotobuf-lite20-3.9.2-150100.8.3.3
* python2-psutil-debuginfo-5.9.1-150100.6.6.3
* python-psutil-debuginfo-5.9.1-150100.6.6.3
* python2-cryptography-3.3.2-150100.7.15.3
* python2-psutil-5.9.1-150100.6.6.3
* python3-psutil-5.9.1-150100.6.6.3
* python-psutil-debugsource-5.9.1-150100.6.6.3
* python-cryptography-debuginfo-3.3.2-150100.7.15.3
* python2-cryptography-debuginfo-3.3.2-150100.7.15.3
* python3-cryptography-3.3.2-150100.7.15.3
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
* python3-websocket-client-1.3.2-150100.6.7.3
* python2-requests-2.25.1-150100.6.13.3
* python3-requests-2.25.1-150100.6.13.3
## References:
* https://www.suse.com/security/cve/CVE-2018-1000518.html
* https://www.suse.com/security/cve/CVE-2020-25659.html
* https://www.suse.com/security/cve/CVE-2020-36242.html
* https://www.suse.com/security/cve/CVE-2021-22569.html
* https://www.suse.com/security/cve/CVE-2021-22570.html
* https://www.suse.com/security/cve/CVE-2022-1941.html
* https://www.suse.com/security/cve/CVE-2022-3171.html
* https://bugzilla.suse.com/show_bug.cgi?id=1099269
* https://bugzilla.suse.com/show_bug.cgi?id=1133277
* https://bugzilla.suse.com/show_bug.cgi?id=1144068
* https://bugzilla.suse.com/show_bug.cgi?id=1162343
* https://bugzilla.suse.com/show_bug.cgi?id=1177127
* https://bugzilla.suse.com/show_bug.cgi?id=1178168
* https://bugzilla.suse.com/show_bug.cgi?id=1182066
* https://bugzilla.suse.com/show_bug.cgi?id=1184753
* https://bugzilla.suse.com/show_bug.cgi?id=1194530
* https://bugzilla.suse.com/show_bug.cgi?id=1197726
* https://bugzilla.suse.com/show_bug.cgi?id=1198331
* https://bugzilla.suse.com/show_bug.cgi?id=1199282
* https://bugzilla.suse.com/show_bug.cgi?id=1203681
* https://bugzilla.suse.com/show_bug.cgi?id=1204256
* https://jira.suse.com/browse/PM-3243
* https://jira.suse.com/browse/SLE-24629
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230920/48e7e9d3/attachment.htm>
More information about the sle-security-updates
mailing list