python-2.7.12-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10450-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-2.7.12-1.5 on GA media These are all security issues fixed in the python-2.7.12-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10450 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-4238/ SUSE CVE CVE-2013-4238 page https://www.suse.com/security/cve/CVE-2016-0772/ SUSE CVE CVE-2016-0772 page https://www.suse.com/security/cve/CVE-2016-5636/ SUSE CVE CVE-2016-5636 page https://www.suse.com/security/cve/CVE-2016-5699/ SUSE CVE CVE-2016-5699 page openSUSE Tumbleweed python-2.7.12-1.5 python-32bit-2.7.12-1.5 python-curses-2.7.12-1.5 python-demo-2.7.12-1.5 python-gdbm-2.7.12-1.5 python-idle-2.7.12-1.5 python-tk-2.7.12-1.5 python-2.7.12-1.5 as a component of openSUSE Tumbleweed python-32bit-2.7.12-1.5 as a component of openSUSE Tumbleweed python-curses-2.7.12-1.5 as a component of openSUSE Tumbleweed python-demo-2.7.12-1.5 as a component of openSUSE Tumbleweed python-gdbm-2.7.12-1.5 as a component of openSUSE Tumbleweed python-idle-2.7.12-1.5 as a component of openSUSE Tumbleweed python-tk-2.7.12-1.5 as a component of openSUSE Tumbleweed The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2013-4238 openSUSE Tumbleweed:python-2.7.12-1.5 openSUSE Tumbleweed:python-32bit-2.7.12-1.5 openSUSE Tumbleweed:python-curses-2.7.12-1.5 openSUSE Tumbleweed:python-demo-2.7.12-1.5 openSUSE Tumbleweed:python-gdbm-2.7.12-1.5 openSUSE Tumbleweed:python-idle-2.7.12-1.5 openSUSE Tumbleweed:python-tk-2.7.12-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4238.html CVE-2013-4238 https://bugzilla.suse.com/834601 SUSE Bug 834601 https://bugzilla.suse.com/839107 SUSE Bug 839107 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2016-0772 openSUSE Tumbleweed:python-2.7.12-1.5 openSUSE Tumbleweed:python-32bit-2.7.12-1.5 openSUSE Tumbleweed:python-curses-2.7.12-1.5 openSUSE Tumbleweed:python-demo-2.7.12-1.5 openSUSE Tumbleweed:python-gdbm-2.7.12-1.5 openSUSE Tumbleweed:python-idle-2.7.12-1.5 openSUSE Tumbleweed:python-tk-2.7.12-1.5 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0772.html CVE-2016-0772 https://bugzilla.suse.com/984751 SUSE Bug 984751 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5636 openSUSE Tumbleweed:python-2.7.12-1.5 openSUSE Tumbleweed:python-32bit-2.7.12-1.5 openSUSE Tumbleweed:python-curses-2.7.12-1.5 openSUSE Tumbleweed:python-demo-2.7.12-1.5 openSUSE Tumbleweed:python-gdbm-2.7.12-1.5 openSUSE Tumbleweed:python-idle-2.7.12-1.5 openSUSE Tumbleweed:python-tk-2.7.12-1.5 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5636.html CVE-2016-5636 https://bugzilla.suse.com/1065451 SUSE Bug 1065451 https://bugzilla.suse.com/1106262 SUSE Bug 1106262 https://bugzilla.suse.com/985177 SUSE Bug 985177 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 openSUSE Tumbleweed:python-2.7.12-1.5 openSUSE Tumbleweed:python-32bit-2.7.12-1.5 openSUSE Tumbleweed:python-curses-2.7.12-1.5 openSUSE Tumbleweed:python-demo-2.7.12-1.5 openSUSE Tumbleweed:python-gdbm-2.7.12-1.5 openSUSE Tumbleweed:python-idle-2.7.12-1.5 openSUSE Tumbleweed:python-tk-2.7.12-1.5 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5699.html CVE-2016-5699 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/985351 SUSE Bug 985351 https://bugzilla.suse.com/986630 SUSE Bug 986630