SUSE-SU-2023:2783-2: important: Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Sep 20 08:30:22 UTC 2023 


# Security update for grpc, protobuf, python-Deprecated, python-PyGithub,
python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-
cryptography-vectors, python-google-api-core, pyt

Announcement ID: SUSE-SU-2023:2783-2  
Rating: important  
References:

  * #1099269
  * #1133277
  * #1144068
  * #1162343
  * #1177127
  * #1178168
  * #1182066
  * #1184753
  * #1194530
  * #1197726
  * #1198331
  * #1199282
  * #1203681
  * #1204256
  * PM-3243
  * SLE-24629

  
Cross-References:

  * CVE-2018-1000518
  * CVE-2020-25659
  * CVE-2020-36242
  * CVE-2021-22569
  * CVE-2021-22570
  * CVE-2022-1941
  * CVE-2022-3171

  
CVSS scores:

  * CVE-2018-1000518 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2018-1000518 ( NVD ):  7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2020-25659 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2020-25659 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2020-36242 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2020-36242 ( NVD ):  9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  * CVE-2021-22569 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2021-22569 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-22570 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2021-22570 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-1941 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-1941 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-1941 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-1941 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-3171 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2022-3171 ( NVD ):  4.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1

  
  
An update that solves seven vulnerabilities, contains two features and has seven
security fixes can now be installed.

## Description:

This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-
aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-
cryptography-vectors, python-google-api-core, python-googleapis-common-protos,
python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-
opencensus, python-opencensus-context, python-opencensus-ext-threading, python-
opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests,
python-websocket-client, python-websockets fixes the following issues:

grpc: \- Update in SLE-15 (bsc#1197726, bsc#1144068)

protobuf: \- Fix a potential DoS issue in protobuf-cpp and protobuf-python,
CVE-2022-1941, bsc#1203681 \- Fix a potential DoS issue when parsing with binary
data in protobuf-java, CVE-2022-3171, bsc#1204256 \- Fix potential Denial of
Service in protobuf-java in the parsing procedure for binary data,
CVE-2021-22569, bsc#1194530 \- Add missing dependency of python subpackages on
python-six (bsc#1177127) \- Updated to version 3.9.2 (bsc#1162343) * Remove
OSReadLittle* due to alignment requirements. * Don't use unions and instead use
memcpy for the type swaps. \- Disable LTO (bsc#1133277)

python-aiocontextvars:  
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-avro: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \-
Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-cryptography:  
\- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331) * SECURITY ISSUE:
Fixed a bug where certain sequences of update() calls when symmetrically
encrypting very large payloads (>2GB) could result in an integer overflow,
leading to buffer overflows. CVE-2020-36242

python-cryptography-vectors: \- update to 3.2 (bsc#1178168, CVE-2020-25659): *
CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by
our API, we cannot completely mitigate this vulnerability. * Support for OpenSSL
1.0.2 has been removed. * Added basic support for PKCS7 signing (including
SMIME) via PKCS7SignatureBuilder. \- update to 3.3.2 (bsc#1198331)

python-Deprecated: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- update to 1.2.13:

python-google-api-core: \- Update to 1.14.2

python-googleapis-common-protos: \- Update to 1.6.0

python-grpcio-gcp: \- Initial spec for v0.2.2

python-humanfriendly: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Update to 10.0

python-jsondiff: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
\- Update to version 1.3.0

python-knack:  
\- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Update to
version 0.9.0

python-opencensus: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Disable Python2 build \- Update to 0.8.0

python-opencensus-context:  
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-opencensus-ext-threading:  
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Initial build
version 0.1.2

python-opentelemetry-api: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Version update to 1.5.0

python-psutil: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \-
update to 5.9.1 \- remove the dependency on net-tools, since it conflicts with
busybox-hostnmame which is default on MicroOS. (bsc#1184753) \- Include in
SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-PyGithub: \- Update to 1.43.5:

python-pytest-asyncio:  
\- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) \- Initial
release of python-pytest-asyncio 0.8.0

python-requests: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-websocket-client: \- Update in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- Update to version 1.3.2

python-websockets: \- Include in SLE-15 (bsc#1199282, jsc#PM-3243,
jsc#SLE-24629) \- update to 9.1:

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2783=1

## Package List:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
    x86_64)
    * python-cryptography-debugsource-3.3.2-150100.7.15.3
    * python3-cryptography-debuginfo-3.3.2-150100.7.15.3
    * python3-psutil-debuginfo-5.9.1-150100.6.6.3
    * libprotobuf-lite20-3.9.2-150100.8.3.3
    * python2-psutil-debuginfo-5.9.1-150100.6.6.3
    * python-psutil-debuginfo-5.9.1-150100.6.6.3
    * python2-cryptography-3.3.2-150100.7.15.3
    * python2-psutil-5.9.1-150100.6.6.3
    * python3-psutil-5.9.1-150100.6.6.3
    * python-psutil-debugsource-5.9.1-150100.6.6.3
    * python-cryptography-debuginfo-3.3.2-150100.7.15.3
    * python2-cryptography-debuginfo-3.3.2-150100.7.15.3
    * python3-cryptography-3.3.2-150100.7.15.3
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
    * python3-websocket-client-1.3.2-150100.6.7.3
    * python2-requests-2.25.1-150100.6.13.3
    * python3-requests-2.25.1-150100.6.13.3

## References:

  * https://www.suse.com/security/cve/CVE-2018-1000518.html
  * https://www.suse.com/security/cve/CVE-2020-25659.html
  * https://www.suse.com/security/cve/CVE-2020-36242.html
  * https://www.suse.com/security/cve/CVE-2021-22569.html
  * https://www.suse.com/security/cve/CVE-2021-22570.html
  * https://www.suse.com/security/cve/CVE-2022-1941.html
  * https://www.suse.com/security/cve/CVE-2022-3171.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1099269
  * https://bugzilla.suse.com/show_bug.cgi?id=1133277
  * https://bugzilla.suse.com/show_bug.cgi?id=1144068
  * https://bugzilla.suse.com/show_bug.cgi?id=1162343
  * https://bugzilla.suse.com/show_bug.cgi?id=1177127
  * https://bugzilla.suse.com/show_bug.cgi?id=1178168
  * https://bugzilla.suse.com/show_bug.cgi?id=1182066
  * https://bugzilla.suse.com/show_bug.cgi?id=1184753
  * https://bugzilla.suse.com/show_bug.cgi?id=1194530
  * https://bugzilla.suse.com/show_bug.cgi?id=1197726
  * https://bugzilla.suse.com/show_bug.cgi?id=1198331
  * https://bugzilla.suse.com/show_bug.cgi?id=1199282
  * https://bugzilla.suse.com/show_bug.cgi?id=1203681
  * https://bugzilla.suse.com/show_bug.cgi?id=1204256
  * https://jira.suse.com/browse/PM-3243
  * https://jira.suse.com/browse/SLE-24629

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230920/48e7e9d3/attachment.htm>

More information about the sle-security-updates mailing list