python-2.7.18-8.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11202 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-2.7.18-8.1 on GA media These are all security issues fixed in the python-2.7.18-8.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11202 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11202 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-2052/ SUSE CVE CVE-2007-2052 page https://www.suse.com/security/cve/CVE-2008-1721/ SUSE CVE CVE-2008-1721 page https://www.suse.com/security/cve/CVE-2008-2315/ SUSE CVE CVE-2008-2315 page https://www.suse.com/security/cve/CVE-2008-2316/ SUSE CVE CVE-2008-2316 page https://www.suse.com/security/cve/CVE-2008-3142/ SUSE CVE CVE-2008-3142 page https://www.suse.com/security/cve/CVE-2008-3143/ SUSE CVE CVE-2008-3143 page https://www.suse.com/security/cve/CVE-2008-3144/ SUSE CVE CVE-2008-3144 page https://www.suse.com/security/cve/CVE-2011-1521/ SUSE CVE CVE-2011-1521 page https://www.suse.com/security/cve/CVE-2011-3389/ SUSE CVE CVE-2011-3389 page https://www.suse.com/security/cve/CVE-2011-4944/ SUSE CVE CVE-2011-4944 page https://www.suse.com/security/cve/CVE-2012-0845/ SUSE CVE CVE-2012-0845 page https://www.suse.com/security/cve/CVE-2012-1150/ SUSE CVE CVE-2012-1150 page https://www.suse.com/security/cve/CVE-2013-1752/ SUSE CVE CVE-2013-1752 page https://www.suse.com/security/cve/CVE-2013-1753/ SUSE CVE CVE-2013-1753 page https://www.suse.com/security/cve/CVE-2014-1912/ SUSE CVE CVE-2014-1912 page https://www.suse.com/security/cve/CVE-2014-4650/ SUSE CVE CVE-2014-4650 page https://www.suse.com/security/cve/CVE-2014-7185/ SUSE CVE CVE-2014-7185 page https://www.suse.com/security/cve/CVE-2016-1000110/ SUSE CVE CVE-2016-1000110 page https://www.suse.com/security/cve/CVE-2017-1000158/ SUSE CVE CVE-2017-1000158 page https://www.suse.com/security/cve/CVE-2017-18207/ SUSE CVE CVE-2017-18207 page https://www.suse.com/security/cve/CVE-2018-1000030/ SUSE CVE CVE-2018-1000030 page https://www.suse.com/security/cve/CVE-2018-1000802/ SUSE CVE CVE-2018-1000802 page https://www.suse.com/security/cve/CVE-2018-1060/ SUSE CVE CVE-2018-1060 page https://www.suse.com/security/cve/CVE-2018-1061/ SUSE CVE CVE-2018-1061 page https://www.suse.com/security/cve/CVE-2018-14647/ SUSE CVE CVE-2018-14647 page https://www.suse.com/security/cve/CVE-2018-20852/ SUSE CVE CVE-2018-20852 page https://www.suse.com/security/cve/CVE-2019-10160/ SUSE CVE CVE-2019-10160 page https://www.suse.com/security/cve/CVE-2019-16056/ SUSE CVE CVE-2019-16056 page https://www.suse.com/security/cve/CVE-2019-16935/ SUSE CVE CVE-2019-16935 page https://www.suse.com/security/cve/CVE-2019-18348/ SUSE CVE CVE-2019-18348 page https://www.suse.com/security/cve/CVE-2019-5010/ SUSE CVE CVE-2019-5010 page https://www.suse.com/security/cve/CVE-2019-9636/ SUSE CVE CVE-2019-9636 page https://www.suse.com/security/cve/CVE-2019-9674/ SUSE CVE CVE-2019-9674 page https://www.suse.com/security/cve/CVE-2019-9947/ SUSE CVE CVE-2019-9947 page https://www.suse.com/security/cve/CVE-2019-9948/ SUSE CVE CVE-2019-9948 page https://www.suse.com/security/cve/CVE-2020-8492/ SUSE CVE CVE-2020-8492 page https://www.suse.com/security/cve/CVE-2021-23336/ SUSE CVE CVE-2021-23336 page https://www.suse.com/security/cve/CVE-2021-3177/ SUSE CVE CVE-2021-3177 page https://www.suse.com/security/cve/CVE-2021-3733/ SUSE CVE CVE-2021-3733 page https://www.suse.com/security/cve/CVE-2021-3737/ SUSE CVE CVE-2021-3737 page openSUSE Tumbleweed python-2.7.18-8.1 python-32bit-2.7.18-8.1 python-curses-2.7.18-8.1 python-demo-2.7.18-8.1 python-gdbm-2.7.18-8.1 python-idle-2.7.18-8.1 python-tk-2.7.18-8.1 python-2.7.18-8.1 as a component of openSUSE Tumbleweed python-32bit-2.7.18-8.1 as a component of openSUSE Tumbleweed python-curses-2.7.18-8.1 as a component of openSUSE Tumbleweed python-demo-2.7.18-8.1 as a component of openSUSE Tumbleweed python-gdbm-2.7.18-8.1 as a component of openSUSE Tumbleweed python-idle-2.7.18-8.1 as a component of openSUSE Tumbleweed python-tk-2.7.18-8.1 as a component of openSUSE Tumbleweed Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination. CVE-2007-2052 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-2052.html CVE-2007-2052 https://bugzilla.suse.com/276889 SUSE Bug 276889 Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. CVE-2008-1721 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1721.html CVE-2008-1721 https://bugzilla.suse.com/379044 SUSE Bug 379044 Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. CVE-2008-2315 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2315.html CVE-2008-2315 https://bugzilla.suse.com/406051 SUSE Bug 406051 https://bugzilla.suse.com/443653 SUSE Bug 443653 Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB." CVE-2008-2316 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2316.html CVE-2008-2316 https://bugzilla.suse.com/406051 SUSE Bug 406051 Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro. CVE-2008-3142 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3142.html CVE-2008-3142 https://bugzilla.suse.com/406051 SUSE Bug 406051 Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google." CVE-2008-3143 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3143.html CVE-2008-3143 https://bugzilla.suse.com/406051 SUSE Bug 406051 https://bugzilla.suse.com/444989 SUSE Bug 444989 https://bugzilla.suse.com/609759 SUSE Bug 609759 Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error. CVE-2008-3144 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3144.html CVE-2008-3144 https://bugzilla.suse.com/406051 SUSE Bug 406051 The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. CVE-2011-1521 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1521.html CVE-2011-1521 https://bugzilla.suse.com/682554 SUSE Bug 682554 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVE-2011-3389 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3389.html CVE-2011-3389 https://bugzilla.suse.com/716002 SUSE Bug 716002 https://bugzilla.suse.com/719047 SUSE Bug 719047 https://bugzilla.suse.com/725167 SUSE Bug 725167 https://bugzilla.suse.com/726096 SUSE Bug 726096 https://bugzilla.suse.com/739248 SUSE Bug 739248 https://bugzilla.suse.com/739256 SUSE Bug 739256 https://bugzilla.suse.com/742306 SUSE Bug 742306 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/759666 SUSE Bug 759666 https://bugzilla.suse.com/763598 SUSE Bug 763598 https://bugzilla.suse.com/814655 SUSE Bug 814655 Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. CVE-2011-4944 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4944.html CVE-2011-4944 https://bugzilla.suse.com/754447 SUSE Bug 754447 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. CVE-2012-0845 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-0845.html CVE-2012-0845 https://bugzilla.suse.com/747125 SUSE Bug 747125 Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. CVE-2012-1150 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1150.html CVE-2012-1150 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/755383 SUSE Bug 755383 https://bugzilla.suse.com/826682 SUSE Bug 826682 ** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions. CVE-2013-1752 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1752.html CVE-2013-1752 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. CVE-2013-1753 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1753.html CVE-2013-1753 https://bugzilla.suse.com/856835 SUSE Bug 856835 Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. CVE-2014-1912 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1912.html CVE-2014-1912 https://bugzilla.suse.com/1049392 SUSE Bug 1049392 https://bugzilla.suse.com/1049422 SUSE Bug 1049422 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/882915 SUSE Bug 882915 https://bugzilla.suse.com/912739 SUSE Bug 912739 The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. CVE-2014-4650 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4650.html CVE-2014-4650 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. CVE-2014-7185 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7185.html CVE-2014-7185 https://bugzilla.suse.com/898572 SUSE Bug 898572 https://bugzilla.suse.com/912739 SUSE Bug 912739 https://bugzilla.suse.com/913479 SUSE Bug 913479 https://bugzilla.suse.com/955182 SUSE Bug 955182 The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. CVE-2016-1000110 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1000110.html CVE-2016-1000110 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/989523 SUSE Bug 989523 CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) CVE-2017-1000158 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000158.html CVE-2017-1000158 https://bugzilla.suse.com/1068664 SUSE Bug 1068664 ** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions." CVE-2017-18207 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18207.html CVE-2017-18207 https://bugzilla.suse.com/1083507 SUSE Bug 1083507 Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE. CVE-2018-1000030 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000030.html CVE-2018-1000030 https://bugzilla.suse.com/1079300 SUSE Bug 1079300 Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace. CVE-2018-1000802 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000802.html CVE-2018-1000802 https://bugzilla.suse.com/1109663 SUSE Bug 1109663 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service. CVE-2018-1060 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1060.html CVE-2018-1060 https://bugzilla.suse.com/1088009 SUSE Bug 1088009 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. CVE-2018-1061 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1061.html CVE-2018-1061 https://bugzilla.suse.com/1088004 SUSE Bug 1088004 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15. CVE-2018-14647 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14647.html CVE-2018-14647 https://bugzilla.suse.com/1109847 SUSE Bug 1109847 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. CVE-2018-20852 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20852.html CVE-2018-20852 https://bugzilla.suse.com/1141853 SUSE Bug 1141853 A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. CVE-2019-10160 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10160.html CVE-2019-10160 https://bugzilla.suse.com/1138459 SUSE Bug 1138459 An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. CVE-2019-16056 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16056.html CVE-2019-16056 https://bugzilla.suse.com/1149955 SUSE Bug 1149955 The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-16935 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16935.html CVE-2019-16935 https://bugzilla.suse.com/1153238 SUSE Bug 1153238 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1. CVE-2019-18348 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-18348.html CVE-2019-18348 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. CVE-2019-5010 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5010.html CVE-2019-5010 https://bugzilla.suse.com/1122191 SUSE Bug 1122191 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9636 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9636.html CVE-2019-9636 https://bugzilla.suse.com/1129346 SUSE Bug 1129346 https://bugzilla.suse.com/1135433 SUSE Bug 1135433 https://bugzilla.suse.com/1138459 SUSE Bug 1138459 https://bugzilla.suse.com/1145004 SUSE Bug 1145004 Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. CVE-2019-9674 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9674.html CVE-2019-9674 https://bugzilla.suse.com/1162825 SUSE Bug 1162825 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9947 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9947.html CVE-2019-9947 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1136184 SUSE Bug 1136184 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 https://bugzilla.suse.com/1201559 SUSE Bug 1201559 urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVE-2019-9948 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9948.html CVE-2019-9948 https://bugzilla.suse.com/1130847 SUSE Bug 1130847 https://bugzilla.suse.com/1135433 SUSE Bug 1135433 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2020-8492 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8492.html CVE-2020-8492 https://bugzilla.suse.com/1162367 SUSE Bug 1162367 The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. CVE-2021-23336 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23336.html CVE-2021-23336 https://bugzilla.suse.com/1182179 SUSE Bug 1182179 https://bugzilla.suse.com/1182379 SUSE Bug 1182379 https://bugzilla.suse.com/1182433 SUSE Bug 1182433 Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. CVE-2021-3177 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3177.html CVE-2021-3177 https://bugzilla.suse.com/1181126 SUSE Bug 1181126 There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. CVE-2021-3733 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3733.html CVE-2021-3733 https://bugzilla.suse.com/1189287 SUSE Bug 1189287 A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. CVE-2021-3737 openSUSE Tumbleweed:python-2.7.18-8.1 openSUSE Tumbleweed:python-32bit-2.7.18-8.1 openSUSE Tumbleweed:python-curses-2.7.18-8.1 openSUSE Tumbleweed:python-demo-2.7.18-8.1 openSUSE Tumbleweed:python-gdbm-2.7.18-8.1 openSUSE Tumbleweed:python-idle-2.7.18-8.1 openSUSE Tumbleweed:python-tk-2.7.18-8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3737.html CVE-2021-3737 https://bugzilla.suse.com/1189241 SUSE Bug 1189241