SUSE-CU-2022:3048-1: Security update of bci/python
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Sat Nov 19 08:53:26 UTC 2022
SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:3048-1
Container Tags : bci/python:3 , bci/python:3.10 , bci/python:3.10-7.31 , bci/python:latest
Container Release : 7.31
Severity : important
Type : security
References : 1177460 1199944 1202324 1204179 1204649 1204886 1204968 1205156
1205244 CVE-2022-1664 CVE-2022-3821 CVE-2022-42919 CVE-2022-45061
-----------------------------------------------------------------
The container bci/python was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3999-1
Released: Tue Nov 15 17:08:04 2022
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1204179,1204968,CVE-2022-3821
This update for systemd fixes the following issues:
- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).
- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428
* 0469b9f2bc pstore: do not try to load all known pstore modules
* ad05f54439 pstore: Run after modules are loaded
* ccad817445 core: Add trigger limit for path units
* 281d818fe3 core/mount: also add default before dependency for automount mount units
* ffe5b4afa8 logind: fix crash in logind on user-specified message string
- Document udev naming scheme (bsc#1204179)
- Make 'sle15-sp3' net naming scheme still available for backward compatibility
reason
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4004-1
Released: Tue Nov 15 17:10:13 2022
Summary: Security update for python310
Type: security
Severity: important
References: 1204886,1205244,CVE-2022-42919,CVE-2022-45061
This update for python310 fixes the following issues:
Security fixes:
- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).
Other fixes:
- allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).
- Update to 3.10.8:
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- os.sched_yield() now release the GIL while calling
sched_yield(2).
- Bugfix: PyFunction_GetAnnotations() should return a borrowed
reference. It was returning a new reference.
- Fixed a missing incref/decref pair in
Exception.__setstate__().
- Fix overly-broad source position information for chained
comparisons used as branching conditions.
- Fix undefined behaviour in _testcapimodule.c.
- At Python exit, sometimes a thread holding the GIL can
wait forever for a thread (usually a daemon thread) which
requested to drop the GIL, whereas the thread already
exited. To fix the race condition, the thread which requested
the GIL drop now resets its request before exiting.
- Fix a possible assertion failure, fatal error, or SystemError
if a line tracing event raises an exception while opcode
tracing is enabled.
- Fix undefined behaviour in C code of null pointer arithmetic.
- Do not expose KeyWrapper in _functools.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Disable incorrect pickling of the C implemented classmethod
descriptors.
- Fix AttributeError missing name and obj attributes in .
object.__getattribute__() bpo-42316: Document some places .
where an assignment expression needs parentheses .
- Wrap network errors consistently in urllib FTP support, so
the test suite doesnât fail when a network is available but
the public internet is not reachable.
- Fixes AttributeError when subprocess.check_output() is used
with argument input=None and either of the arguments encoding
or errors are used.
- Avoid spurious tracebacks from asyncio when default executor
cleanup is delayed until after the event loop is closed (e.g.
as the result of a keyboard interrupt).
- Avoid a crash in the C version of
asyncio.Future.remove_done_callback() when an evil argument
is passed.
- Remove tokenize.NL check from tabnanny.
- Make Semaphore run faster.
- Fix generation of the default name of
tkinter.Checkbutton. Previously, checkbuttons in different
parent widgets could have the same short name and share
the same state if arguments ânameâ and âvariableâ are not
specified. Now they are globally unique.
- Update bundled libexpat to 2.4.9
- Fix race condition in asyncio where process_exited() called
before the pipe_data_received() leading to inconsistent
output.
- Fixed check in multiprocessing.resource_tracker that
guarantees that the length of a write to a pipe is not
greater than PIPE_BUF.
- Corrected type annotation for dataclass attribute
pstats.FunctionProfile.ncalls to be str.
- Fix the faulthandler implementation of
faulthandler.register(signal, chain=True) if the sigaction()
function is not available: donât call the previous signal
handler if itâs NULL.
- In inspect, fix overeager replacement of âtyping.â in
formatting annotations.
- Fix asyncio.streams.StreamReaderProtocol to keep a strong
reference to the created task, so that itâs not garbage
collected
- Fix handling compiler warnings (SyntaxWarning and
DeprecationWarning) in codeop.compile_command() when checking
for incomplete input. Previously it emitted warnings and
raised a SyntaxError. Now it always returns None for
incomplete input without emitting any warnings.
- Fixed flickering of the turtle window when the tracer is
turned off.
- Allow asyncio.StreamWriter.drain() to be awaited concurrently
by multiple tasks.
- Fix broken asyncio.Semaphore when acquire is cancelled.
- Fix ast.unparse() when ImportFrom.level is None
- Improve performance of urllib.request.getproxies_environment
when there are many environment variables
- Fix ! in c domain ref target syntax via a conf.py patch, so
it works as intended to disable ref target resolution.
- Clarified the conflicting advice given in the ast
documentation about ast.literal_eval() being âsafeâ for use
on untrusted input while at the same time warning that it
can crash the process. The latter statement is true and is
deemed unfixable without a large amount of work unsuitable
for a bugfix. So we keep the warning and no longer claim that
literal_eval is safe.
- Update tutorial introduction output to use 3.10+ SyntaxError
invalid range.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4066-1
Released: Fri Nov 18 10:43:00 2022
Summary: Recommended update for timezone
Type: recommended
Severity: important
References: 1177460,1202324,1204649,1205156
This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):
- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Type: security
Severity: low
References: 1199944,CVE-2022-1664
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
The following package changes have been done:
- libudev1-249.12-150400.8.13.1 updated
- libsystemd0-249.12-150400.8.13.1 updated
- timezone-2022f-150000.75.15.1 updated
- update-alternatives-1.19.0.4-150000.4.4.1 updated
- libpython3_10-1_0-3.10.8-150400.4.15.1 updated
- python310-base-3.10.8-150400.4.15.1 updated
- python310-3.10.8-150400.4.15.1 updated
- container:sles15-image-15.0.0-27.14.16 updated
More information about the sle-updates
mailing list