SUSE-CU-2022:3048-1: Security update of bci/python

[sle-updates at lists.suse.com]

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:3048-1
Container Tags        : bci/python:3 , bci/python:3.10 , bci/python:3.10-7.31 , bci/python:latest
Container Release     : 7.31
Severity              : important
Type                  : security
References            : 1177460 1199944 1202324 1204179 1204649 1204886 1204968 1205156
                        1205244 CVE-2022-1664 CVE-2022-3821 CVE-2022-42919 CVE-2022-45061
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3999-1
Released:    Tue Nov 15 17:08:04 2022
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1204179,1204968,CVE-2022-3821
This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428
  * 0469b9f2bc pstore: do not try to load all known pstore modules
  * ad05f54439 pstore: Run after modules are loaded
  * ccad817445 core: Add trigger limit for path units
  * 281d818fe3 core/mount: also add default before dependency for automount mount units
  * ffe5b4afa8 logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179)
- Make 'sle15-sp3' net naming scheme still available for backward compatibility
  reason

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4004-1
Released:    Tue Nov 15 17:10:13 2022
Summary:     Security update for python310
Type:        security
Severity:    important
References:  1204886,1205244,CVE-2022-42919,CVE-2022-45061
This update for python310 fixes the following issues:

Security fixes:

- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).

Other fixes:

- allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).

- Update to 3.10.8:
  - Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - The deprecated mailcap module now refuses to inject unsafe
    text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
  - os.sched_yield() now release the GIL while calling
    sched_yield(2).
  - Bugfix: PyFunction_GetAnnotations() should return a borrowed
    reference. It was returning a new reference.
  - Fixed a missing incref/decref pair in
    Exception.__setstate__().
  - Fix overly-broad source position information for chained
    comparisons used as branching conditions.
  - Fix undefined behaviour in _testcapimodule.c.
  - At Python exit, sometimes a thread holding the GIL can
    wait forever for a thread (usually a daemon thread) which
    requested to drop the GIL, whereas the thread already
    exited. To fix the race condition, the thread which requested
    the GIL drop now resets its request before exiting.
  - Fix a possible assertion failure, fatal error, or SystemError
    if a line tracing event raises an exception while opcode
    tracing is enabled.
  - Fix undefined behaviour in C code of null pointer arithmetic.
  - Do not expose KeyWrapper in _functools.
  - When loading a file with invalid UTF-8 inside a multi-line
    string, a correct SyntaxError is emitted.
  - Disable incorrect pickling of the C implemented classmethod
    descriptors.
  - Fix AttributeError missing name and obj attributes in       .
    object.__getattribute__() bpo-42316: Document some places   .
    where an assignment expression needs parentheses            .
  - Wrap network errors consistently in urllib FTP support, so
    the test suite doesn’t fail when a network is available but
    the public internet is not reachable.
  - Fixes AttributeError when subprocess.check_output() is used
    with argument input=None and either of the arguments encoding
    or errors are used.
  - Avoid spurious tracebacks from asyncio when default executor
    cleanup is delayed until after the event loop is closed (e.g.
    as the result of a keyboard interrupt).
  - Avoid a crash in the C version of
    asyncio.Future.remove_done_callback() when an evil argument
    is passed.
  - Remove tokenize.NL check from tabnanny.
  - Make Semaphore run faster.
  - Fix generation of the default name of
    tkinter.Checkbutton. Previously, checkbuttons in different
    parent widgets could have the same short name and share
    the same state if arguments “name” and “variable” are not
    specified. Now they are globally unique.
  - Update bundled libexpat to 2.4.9
  - Fix race condition in asyncio where process_exited() called
    before the pipe_data_received() leading to inconsistent
    output.
  - Fixed check in multiprocessing.resource_tracker that
    guarantees that the length of a write to a pipe is not
    greater than PIPE_BUF.
  - Corrected type annotation for dataclass attribute
    pstats.FunctionProfile.ncalls to be str.
  - Fix the faulthandler implementation of
    faulthandler.register(signal, chain=True) if the sigaction()
    function is not available: don’t call the previous signal
    handler if it’s NULL.
  - In inspect, fix overeager replacement of “typing.” in
    formatting annotations.
  - Fix asyncio.streams.StreamReaderProtocol to keep a strong
    reference to the created task, so that it’s not garbage
    collected
  - Fix handling compiler warnings (SyntaxWarning and
    DeprecationWarning) in codeop.compile_command() when checking
    for incomplete input. Previously it emitted warnings and
    raised a SyntaxError. Now it always returns None for
    incomplete input without emitting any warnings.
  - Fixed flickering of the turtle window when the tracer is
    turned off.
  - Allow asyncio.StreamWriter.drain() to be awaited concurrently
    by multiple tasks.
  - Fix broken asyncio.Semaphore when acquire is cancelled.
  - Fix ast.unparse() when ImportFrom.level is None
  - Improve performance of urllib.request.getproxies_environment
    when there are many environment variables
  - Fix ! in c domain ref target syntax via a conf.py patch, so
    it works as intended to disable ref target resolution.
  - Clarified the conflicting advice given in the ast
    documentation about ast.literal_eval() being “safe” for use
    on untrusted input while at the same time warning that it
    can crash the process. The latter statement is true and is
    deemed unfixable without a large amount of work unsuitable
    for a bugfix. So we keep the warning and no longer claim that
    literal_eval is safe.
  - Update tutorial introduction output to use 3.10+ SyntaxError
    invalid range.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4066-1
Released:    Fri Nov 18 10:43:00 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1202324,1204649,1205156
This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released:    Fri Nov 18 15:40:46 2022
Summary:     Security update for dpkg
Type:        security
Severity:    low
References:  1199944,CVE-2022-1664
This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).


The following package changes have been done:

- libudev1-249.12-150400.8.13.1 updated
- libsystemd0-249.12-150400.8.13.1 updated
- timezone-2022f-150000.75.15.1 updated
- update-alternatives-1.19.0.4-150000.4.4.1 updated
- libpython3_10-1_0-3.10.8-150400.4.15.1 updated
- python310-base-3.10.8-150400.4.15.1 updated
- python310-3.10.8-150400.4.15.1 updated
- container:sles15-image-15.0.0-27.14.16 updated