python-2.7.18-38.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13236-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-2.7.18-38.1 on GA media These are all security issues fixed in the python-2.7.18-38.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13236 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-40217/ SUSE CVE CVE-2023-40217 page openSUSE Tumbleweed python-2.7.18-38.1 python-32bit-2.7.18-38.1 python-curses-2.7.18-38.1 python-demo-2.7.18-38.1 python-gdbm-2.7.18-38.1 python-idle-2.7.18-38.1 python-tk-2.7.18-38.1 python-2.7.18-38.1 as a component of openSUSE Tumbleweed python-32bit-2.7.18-38.1 as a component of openSUSE Tumbleweed python-curses-2.7.18-38.1 as a component of openSUSE Tumbleweed python-demo-2.7.18-38.1 as a component of openSUSE Tumbleweed python-gdbm-2.7.18-38.1 as a component of openSUSE Tumbleweed python-idle-2.7.18-38.1 as a component of openSUSE Tumbleweed python-tk-2.7.18-38.1 as a component of openSUSE Tumbleweed An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) CVE-2023-40217 openSUSE Tumbleweed:python-2.7.18-38.1 openSUSE Tumbleweed:python-32bit-2.7.18-38.1 openSUSE Tumbleweed:python-curses-2.7.18-38.1 openSUSE Tumbleweed:python-demo-2.7.18-38.1 openSUSE Tumbleweed:python-gdbm-2.7.18-38.1 openSUSE Tumbleweed:python-idle-2.7.18-38.1 openSUSE Tumbleweed:python-tk-2.7.18-38.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-40217.html CVE-2023-40217 https://bugzilla.suse.com/1214692 SUSE Bug 1214692 https://bugzilla.suse.com/1217524 SUSE Bug 1217524 https://bugzilla.suse.com/1218319 SUSE Bug 1218319 https://bugzilla.suse.com/1218476 SUSE Bug 1218476 https://bugzilla.suse.com/1218965 SUSE Bug 1218965 https://bugzilla.suse.com/1219472 SUSE Bug 1219472 https://bugzilla.suse.com/1219713 SUSE Bug 1219713 https://bugzilla.suse.com/1221582 SUSE Bug 1221582 https://bugzilla.suse.com/1224883 SUSE Bug 1224883