python3-3.5.1-3.8 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10100 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python3-3.5.1-3.8 on GA media These are all security issues fixed in the python3-3.5.1-3.8 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10100 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10100 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-4238/ SUSE CVE CVE-2013-4238 page https://www.suse.com/security/cve/CVE-2014-4650/ SUSE CVE CVE-2014-4650 page openSUSE Tumbleweed python3-3.5.1-3.8 python3-32bit-3.5.1-3.8 python3-curses-3.5.1-3.8 python3-dbm-3.5.1-3.8 python3-tk-3.5.1-3.8 python3-3.5.1-3.8 as a component of openSUSE Tumbleweed python3-32bit-3.5.1-3.8 as a component of openSUSE Tumbleweed python3-curses-3.5.1-3.8 as a component of openSUSE Tumbleweed python3-dbm-3.5.1-3.8 as a component of openSUSE Tumbleweed python3-tk-3.5.1-3.8 as a component of openSUSE Tumbleweed The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2013-4238 openSUSE Tumbleweed:python3-3.5.1-3.8 openSUSE Tumbleweed:python3-32bit-3.5.1-3.8 openSUSE Tumbleweed:python3-curses-3.5.1-3.8 openSUSE Tumbleweed:python3-dbm-3.5.1-3.8 openSUSE Tumbleweed:python3-tk-3.5.1-3.8 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4238.html CVE-2013-4238 https://bugzilla.suse.com/834601 SUSE Bug 834601 https://bugzilla.suse.com/839107 SUSE Bug 839107 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. CVE-2014-4650 openSUSE Tumbleweed:python3-3.5.1-3.8 openSUSE Tumbleweed:python3-32bit-3.5.1-3.8 openSUSE Tumbleweed:python3-curses-3.5.1-3.8 openSUSE Tumbleweed:python3-dbm-3.5.1-3.8 openSUSE Tumbleweed:python3-tk-3.5.1-3.8 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4650.html CVE-2014-4650 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739