python38-3.8.20-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14340-1 Final 1 1 2024-09-17T00:00:00Z current 2024-09-17T00:00:00Z 2024-09-17T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python38-3.8.20-1.1 on GA media These are all security issues fixed in the python38-3.8.20-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14340 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EB3HULWLZQ24PRVM3P2LCSJ3IJUISSTW/ E-Mail link for openSUSE-SU-2024:14340-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-4030/ SUSE CVE CVE-2024-4030 page https://www.suse.com/security/cve/CVE-2024-6232/ SUSE CVE CVE-2024-6232 page openSUSE Tumbleweed python38-3.8.20-1.1 python38-curses-3.8.20-1.1 python38-dbm-3.8.20-1.1 python38-idle-3.8.20-1.1 python38-tk-3.8.20-1.1 python38-3.8.20-1.1 as a component of openSUSE Tumbleweed python38-curses-3.8.20-1.1 as a component of openSUSE Tumbleweed python38-dbm-3.8.20-1.1 as a component of openSUSE Tumbleweed python38-idle-3.8.20-1.1 as a component of openSUSE Tumbleweed python38-tk-3.8.20-1.1 as a component of openSUSE Tumbleweed On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you're not using Windows or haven't changed the temporary directory location then you aren't affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix "700" for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. CVE-2024-4030 openSUSE Tumbleweed:python38-3.8.20-1.1 openSUSE Tumbleweed:python38-curses-3.8.20-1.1 openSUSE Tumbleweed:python38-dbm-3.8.20-1.1 openSUSE Tumbleweed:python38-idle-3.8.20-1.1 openSUSE Tumbleweed:python38-tk-3.8.20-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EB3HULWLZQ24PRVM3P2LCSJ3IJUISSTW/ https://www.suse.com/security/cve/CVE-2024-4030.html CVE-2024-4030 https://bugzilla.suse.com/1227152 SUSE Bug 1227152 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 openSUSE Tumbleweed:python38-3.8.20-1.1 openSUSE Tumbleweed:python38-curses-3.8.20-1.1 openSUSE Tumbleweed:python38-dbm-3.8.20-1.1 openSUSE Tumbleweed:python38-idle-3.8.20-1.1 openSUSE Tumbleweed:python38-tk-3.8.20-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EB3HULWLZQ24PRVM3P2LCSJ3IJUISSTW/ https://www.suse.com/security/cve/CVE-2024-6232.html CVE-2024-6232 https://bugzilla.suse.com/1230227 SUSE Bug 1230227