Security update for python-sentry-sdk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0214-1 Final 1 1 2024-07-23T09:17:13Z current 2024-07-23T09:17:13Z 2024-07-23T09:17:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-sentry-sdk This update for python-sentry-sdk fixes the following issues: - CVE-2024-40647: Do not leak environment variables to child processes. (bsc#1228128) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-214 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J6DLLMQ4P74VFN7WOQ3UL2VM6BAM22WL/ E-Mail link for openSUSE-SU-2024:0214-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228128 SUSE Bug 1228128 https://www.suse.com/security/cve/CVE-2024-40647/ SUSE CVE CVE-2024-40647 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 python3-sentry-sdk-0.14.4-bp155.3.3.1 python3-sentry-sdk-0.14.4-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 python3-sentry-sdk-0.14.4-bp155.3.3.1 as a component of openSUSE Leap 15.5 sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations. CVE-2024-40647 SUSE Package Hub 15 SP5:python3-sentry-sdk-0.14.4-bp155.3.3.1 openSUSE Leap 15.5:python3-sentry-sdk-0.14.4-bp155.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J6DLLMQ4P74VFN7WOQ3UL2VM6BAM22WL/ https://www.suse.com/security/cve/CVE-2024-40647.html CVE-2024-40647 https://bugzilla.suse.com/1228128 SUSE Bug 1228128