libpython2_7-1_0-2.7.12-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10536-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpython2_7-1_0-2.7.12-1.4 on GA media These are all security issues fixed in the libpython2_7-1_0-2.7.12-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10536 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-1521/ SUSE CVE CVE-2011-1521 page https://www.suse.com/security/cve/CVE-2011-3389/ SUSE CVE CVE-2011-3389 page https://www.suse.com/security/cve/CVE-2011-4944/ SUSE CVE CVE-2011-4944 page https://www.suse.com/security/cve/CVE-2012-0845/ SUSE CVE CVE-2012-0845 page https://www.suse.com/security/cve/CVE-2012-1150/ SUSE CVE CVE-2012-1150 page https://www.suse.com/security/cve/CVE-2013-1752/ SUSE CVE CVE-2013-1752 page https://www.suse.com/security/cve/CVE-2013-1753/ SUSE CVE CVE-2013-1753 page https://www.suse.com/security/cve/CVE-2013-4238/ SUSE CVE CVE-2013-4238 page https://www.suse.com/security/cve/CVE-2014-1912/ SUSE CVE CVE-2014-1912 page https://www.suse.com/security/cve/CVE-2014-4650/ SUSE CVE CVE-2014-4650 page https://www.suse.com/security/cve/CVE-2014-7185/ SUSE CVE CVE-2014-7185 page https://www.suse.com/security/cve/CVE-2016-0772/ SUSE CVE CVE-2016-0772 page https://www.suse.com/security/cve/CVE-2016-5636/ SUSE CVE CVE-2016-5636 page https://www.suse.com/security/cve/CVE-2016-5699/ SUSE CVE CVE-2016-5699 page openSUSE Tumbleweed libpython2_7-1_0-2.7.12-1.4 libpython2_7-1_0-32bit-2.7.12-1.4 python-base-2.7.12-1.4 python-base-32bit-2.7.12-1.4 python-devel-2.7.12-1.4 python-xml-2.7.12-1.4 libpython2_7-1_0-2.7.12-1.4 as a component of openSUSE Tumbleweed libpython2_7-1_0-32bit-2.7.12-1.4 as a component of openSUSE Tumbleweed python-base-2.7.12-1.4 as a component of openSUSE Tumbleweed python-base-32bit-2.7.12-1.4 as a component of openSUSE Tumbleweed python-devel-2.7.12-1.4 as a component of openSUSE Tumbleweed python-xml-2.7.12-1.4 as a component of openSUSE Tumbleweed The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. CVE-2011-1521 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1521.html CVE-2011-1521 https://bugzilla.suse.com/682554 SUSE Bug 682554 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVE-2011-3389 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3389.html CVE-2011-3389 https://bugzilla.suse.com/716002 SUSE Bug 716002 https://bugzilla.suse.com/719047 SUSE Bug 719047 https://bugzilla.suse.com/725167 SUSE Bug 725167 https://bugzilla.suse.com/726096 SUSE Bug 726096 https://bugzilla.suse.com/739248 SUSE Bug 739248 https://bugzilla.suse.com/739256 SUSE Bug 739256 https://bugzilla.suse.com/742306 SUSE Bug 742306 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/759666 SUSE Bug 759666 https://bugzilla.suse.com/763598 SUSE Bug 763598 https://bugzilla.suse.com/814655 SUSE Bug 814655 Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. CVE-2011-4944 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 low 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4944.html CVE-2011-4944 https://bugzilla.suse.com/754447 SUSE Bug 754447 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. CVE-2012-0845 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-0845.html CVE-2012-0845 https://bugzilla.suse.com/747125 SUSE Bug 747125 Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. CVE-2012-1150 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1150.html CVE-2012-1150 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/755383 SUSE Bug 755383 https://bugzilla.suse.com/826682 SUSE Bug 826682 ** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions. CVE-2013-1752 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1752.html CVE-2013-1752 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. CVE-2013-1753 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1753.html CVE-2013-1753 https://bugzilla.suse.com/856835 SUSE Bug 856835 The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2013-4238 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4238.html CVE-2013-4238 https://bugzilla.suse.com/834601 SUSE Bug 834601 https://bugzilla.suse.com/839107 SUSE Bug 839107 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. CVE-2014-1912 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1912.html CVE-2014-1912 https://bugzilla.suse.com/1049392 SUSE Bug 1049392 https://bugzilla.suse.com/1049422 SUSE Bug 1049422 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. CVE-2014-4650 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4650.html CVE-2014-4650 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. CVE-2014-7185 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7185.html CVE-2014-7185 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 https://bugzilla.suse.com/913479 SUSE Bug 913479 https://bugzilla.suse.com/955182 SUSE Bug 955182 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2016-0772 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0772.html CVE-2016-0772 https://bugzilla.suse.com/984751 SUSE Bug 984751 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5636 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5636.html CVE-2016-5636 https://bugzilla.suse.com/1065451 SUSE Bug 1065451 https://bugzilla.suse.com/1106262 SUSE Bug 1106262 https://bugzilla.suse.com/985177 SUSE Bug 985177 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 openSUSE Tumbleweed:libpython2_7-1_0-2.7.12-1.4 openSUSE Tumbleweed:libpython2_7-1_0-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-base-2.7.12-1.4 openSUSE Tumbleweed:python-base-32bit-2.7.12-1.4 openSUSE Tumbleweed:python-devel-2.7.12-1.4 openSUSE Tumbleweed:python-xml-2.7.12-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5699.html CVE-2016-5699 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/985351 SUSE Bug 985351 https://bugzilla.suse.com/986630 SUSE Bug 986630