libpython3_5m1_0-3.5.1-3.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10426 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpython3_5m1_0-3.5.1-3.6 on GA media These are all security issues fixed in the libpython3_5m1_0-3.5.1-3.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10426 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10426 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-3389/ SUSE CVE CVE-2011-3389 page https://www.suse.com/security/cve/CVE-2011-4944/ SUSE CVE CVE-2011-4944 page https://www.suse.com/security/cve/CVE-2012-0845/ SUSE CVE CVE-2012-0845 page https://www.suse.com/security/cve/CVE-2012-1150/ SUSE CVE CVE-2012-1150 page https://www.suse.com/security/cve/CVE-2013-1752/ SUSE CVE CVE-2013-1752 page https://www.suse.com/security/cve/CVE-2013-4238/ SUSE CVE CVE-2013-4238 page https://www.suse.com/security/cve/CVE-2014-2667/ SUSE CVE CVE-2014-2667 page https://www.suse.com/security/cve/CVE-2014-4650/ SUSE CVE CVE-2014-4650 page openSUSE Tumbleweed libpython3_5m1_0-3.5.1-3.6 libpython3_5m1_0-32bit-3.5.1-3.6 python3-base-3.5.1-3.6 python3-base-32bit-3.5.1-3.6 python3-devel-3.5.1-3.6 python3-idle-3.5.1-3.6 python3-testsuite-3.5.1-3.6 python3-tools-3.5.1-3.6 libpython3_5m1_0-3.5.1-3.6 as a component of openSUSE Tumbleweed libpython3_5m1_0-32bit-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-base-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-base-32bit-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-devel-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-idle-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-testsuite-3.5.1-3.6 as a component of openSUSE Tumbleweed python3-tools-3.5.1-3.6 as a component of openSUSE Tumbleweed The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVE-2011-3389 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3389.html CVE-2011-3389 https://bugzilla.suse.com/716002 SUSE Bug 716002 https://bugzilla.suse.com/719047 SUSE Bug 719047 https://bugzilla.suse.com/725167 SUSE Bug 725167 https://bugzilla.suse.com/726096 SUSE Bug 726096 https://bugzilla.suse.com/739248 SUSE Bug 739248 https://bugzilla.suse.com/739256 SUSE Bug 739256 https://bugzilla.suse.com/742306 SUSE Bug 742306 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/759666 SUSE Bug 759666 https://bugzilla.suse.com/763598 SUSE Bug 763598 https://bugzilla.suse.com/814655 SUSE Bug 814655 Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. CVE-2011-4944 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4944.html CVE-2011-4944 https://bugzilla.suse.com/754447 SUSE Bug 754447 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. CVE-2012-0845 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-0845.html CVE-2012-0845 https://bugzilla.suse.com/747125 SUSE Bug 747125 Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. CVE-2012-1150 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1150.html CVE-2012-1150 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/755383 SUSE Bug 755383 https://bugzilla.suse.com/826682 SUSE Bug 826682 ** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions. CVE-2013-1752 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1752.html CVE-2013-1752 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2013-4238 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4238.html CVE-2013-4238 https://bugzilla.suse.com/834601 SUSE Bug 834601 https://bugzilla.suse.com/839107 SUSE Bug 839107 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 Race condition in the _get_masked_mode function in Lib/os.py in Python 3.2 through 3.5, when exist_ok is set to true and multiple threads are used, might allow local users to bypass intended file permissions by leveraging a separate application vulnerability before the umask has been set to the expected value. CVE-2014-2667 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2667.html CVE-2014-2667 https://bugzilla.suse.com/871152 SUSE Bug 871152 The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. CVE-2014-4650 openSUSE Tumbleweed:libpython3_5m1_0-3.5.1-3.6 openSUSE Tumbleweed:libpython3_5m1_0-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-base-3.5.1-3.6 openSUSE Tumbleweed:python3-base-32bit-3.5.1-3.6 openSUSE Tumbleweed:python3-devel-3.5.1-3.6 openSUSE Tumbleweed:python3-idle-3.5.1-3.6 openSUSE Tumbleweed:python3-testsuite-3.5.1-3.6 openSUSE Tumbleweed:python3-tools-3.5.1-3.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4650.html CVE-2014-4650 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739