SUSE-CU-2023:694-1: Security update of bci/python

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Mar 17 08:06:00 UTC 2023 

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:694-1
Container Tags        : bci/python:3 , bci/python:3-11.31 , bci/python:3.10 , bci/python:3.10-11.31 , bci/python:latest
Container Release     : 11.31
Severity              : important
Type                  : security
References            : 1208471 831629 CVE-2015-20107 CVE-2022-37454 CVE-2022-42919 CVE-2022-45061
                        CVE-2023-24329 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:748-1
Released:    Wed Mar 15 20:34:06 2023
Summary:     Security update for python310
Type:        security
Severity:    important
References:  1208471,831629,CVE-2015-20107,CVE-2022-37454,CVE-2022-42919,CVE-2022-45061,CVE-2023-24329
This update for python310 fixes the following issues:

- CVE-2023-24329: Fixed blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).

Update to 3.10.10:

- Add provides for readline and sqlite3 to the main Python
  package.
- Disable NIS for new products, it's deprecated and gets removed

Update to 3.10.9:
  
- python -m http.server no longer allows terminal
  control characters sent within a garbage request to be
  printed to the stderr server lo This is done by changing
  the http.server BaseHTTPRequestHandler .log_message method
  to replace control characters with a \xHH hex escape before
  printin
- Avoid publishing list of active per-interpreter
  audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
  socket or asyncio related name resolution functions no
  longer involves a quadratic algorithm. This prevents a
  potential CPU denial of service if an out-of-spec excessive
  length hostname involving bidirectional characters were
  decoded. Some protocols such as urllib http 3xx redirects
  potentially allow for an attacker to supply such a name.
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
  (CVE-2022-37454).
- On Linux the multiprocessing module returns
  to using filesystem backed unix domain sockets for
  communication with the forkserver process instead of the
  Linux abstract socket namespace. Only code that chooses
  to use the “forkserver” start method is affected Abstract
  sockets have no permissions and could allow any user
  on the system in the same network namespace (often the
  whole system) to inject code into the multiprocessing
  forkserver process. This was a potential privilege
  escalation. Filesystem based socket permissions restrict
  this to the forkserver process user as was the default in
  Python 3.8 and earlier This prevents Linux CVE-2022-42919
- Fix a reference bug in _imp.create_builtin()
  after the creation of the first sub-interpreter for modules
  builtins and sys. Patch by Victor Stinner.
- Fixed a bug that was causing a buffer overflow if
  the tokenizer copies a line missing the newline caracter
  from a file that is as long as the available tokenizer
  buffer. Patch by Pablo galindo
- Update faulthandler to emit an error message with
  the proper unexpected signal number. Patch by Dong-hee Na.
- Fix subscription of types.GenericAlias instances
  containing bare generic types: for example tuple[A, T][int],
  where A is a generic type, and T is a type variable.
- Fix detection of MAC addresses for uuid on certain
  OSs. Patch by Chaim Sanders
- Print exception class name instead of its string
  representation when raising errors from ctypes calls.
- Allow pdb to locate source for frozen modules in
  the standard library.
- Raise ValueError instead of SystemError when
  methods of uninitialized io.IncrementalNewlineDecoder objects
  are called. Patch by Oren Milman.
- Fix a possible assertion failure in io.FileIO when
  the opener returns an invalid file descriptor.
- Also escape s in the http.server
  BaseHTTPRequestHandler.log_message so that it is technically
  possible to parse the line and reconstruct what the original
  data was. Without this a xHH is ambiguious as to if it is a
  hex replacement we put in or the characters r”x” came through
  in the original request line.
- asyncio.get_event_loop() now only emits a
  deprecation warning when a new event loop was created
  implicitly. It no longer emits a deprecation warning if the
  current event loop was set.
- Fix bug when calling trace.CoverageResults with
  valid infile.
- Fix a bug in handling class cleanups in
  unittest.TestCase. Now addClassCleanup() uses separate lists
  for different TestCase subclasses, and doClassCleanups() only
  cleans up the particular class.
- Release the GIL when calling termios APIs to avoid
  blocking threads.
- Fix ast.increment_lineno() to also cover
  ast.TypeIgnore when changing line numbers.
- Fixed bug where inspect.signature() reported
  incorrect arguments for decorated methods.
- Fix SystemError in ctypes when exception was not
  set during __initsubclass__.
- Fix statistics.NormalDist pickle with 0 and 1
  protocols.
- Update the bundled copy of pip to version 22.3.1.
- Apply bugfixes from importlib_metadata 4.11.4,
  namely: In PathDistribution._name_from_stem, avoid
  including parts of the extension in the result. In
  PathDistribution._normalized_name, ensure names loaded from
  the stem of the filename are also normalized, ensuring
  duplicate entry points by packages varying only by
  non-normalized name are hidden.
- Clean up refleak on failed module initialisation in
  _zoneinfo
- Clean up refleaks on failed module initialisation
  in in _pickle
- Clean up refleak on failed module initialisation in
  _io.
- Fix memory leak in math.dist() when both points
  don’t have the same dimension. Patch by Kumar Aditya.
- Fix argument typechecks in _overlapped.WSAConnect()
  and _overlapped.Overlapped.WSASendTo() functions.
- Fix internal error in the re module which in
  very rare circumstances prevented compilation of a regular
  expression containing a conditional expression without the
  “else” branch.
- Fix asyncio.StreamWriter.drain() to call
  protocol.connection_lost callback only once on Windows.
- Add a mutex to unittest.mock.NonCallableMock to
  protect concurrent access to mock attributes.
- Fix hang on Windows in subprocess.wait_closed() in
  asyncio with ProactorEventLoop. Patch by Kumar Aditya.
- Fix infinite loop in unittest when a
  self-referencing chained exception is raised
- tkinter.Text.count() raises now an exception for
  options starting with “-” instead of silently ignoring them.
- On uname_result, restored expectation that _fields
  and _asdict would include all six properties including
  processor.
- Update the bundled copies of pip and setuptools to
  versions 22.3 and 65.5.0 respectively.
- Fix bug in urllib.parse.urlparse() that causes
  certain port numbers containing whitespace, underscores,
  plus and minus signs, or non-ASCII digits to be incorrectly
  accepted.
- Allow venv to pass along PYTHON* variables to
  ensurepip and pip when they do not impact path resolution
- On macOS, fix a crash in syslog.syslog() in
  multi-threaded applications. On macOS, the libc syslog()
  function is not thread-safe, so syslog.syslog() no longer
  releases the GIL to call it. Patch by Victor Stinner.
- Allow BUILTINS to be a valid field name for frozen
  dataclasses.
- Make sure patch.dict() can be applied on async
  functions.
- To avoid apparent memory leaks when
  asyncio.open_connection() raises, break reference cycles
  generated by local exception and future instances (which has
  exception instance as its member var). Patch by Dong Uk,
  Kang.
- Prevent error when activating venv in nested fish
  instances.
- Restrict use of sockets instead of pipes for stdin
  of subprocesses created by asyncio to AIX platform only.
- shutil.copytree() now applies the
  ignore_dangling_symlinks argument recursively.
- Fix IndexError in argparse.ArgumentParser when a
  store_true action is given an explicit argument.
- Document that calling variadic functions with
  ctypes requires special care on macOS/arm64 (and possibly
  other platforms).
- Skip test_normalization() of test_unicodedata
  if it fails to download NormalizationTest.txt file from
  pythontest.net. Patch by Victor Stinner.
- Some C API tests were moved into the new
  Lib/test/test_capi/ directory.
- Fix -Wimplicit-int, -Wstrict-prototypes, and
  -Wimplicit-function-declaration compiler warnings in
  configure checks.
- Fix -Wimplicit-int compiler warning in configure
  check for PTHREAD_SCOPE_SYSTEM.
- Specify the full path to the source location for
  make docclean (needed for cross-builds).
- Fix NO_MISALIGNED_ACCESSES being not defined
  for the SHA3 extension when HAVE_ALIGNED_REQUIRED is
  set. Allowing builds on hardware that unaligned memory
  accesses are not allowed.
- Fix handling of module docstrings in
  Tools/i18n/pygettext.py.

- Add invalid-json.patch fixing invalid JSON in 
  Doc/howto/logging-cookbook.rst (somehow similar to gh#python/cpython#102582).


The following package changes have been done:

- libpython3_10-1_0-3.10.10-150400.4.22.1 updated
- python310-base-3.10.10-150400.4.22.1 updated
- python310-3.10.10-150400.4.22.1 updated
- python310-devel-3.10.10-150400.4.22.1 updated
- container:sles15-image-15.0.0-27.14.39 updated

More information about the sle-updates mailing list