Security update for python-tablib
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2017:2105-1
Final
1
1
2017-08-08T13:27:51Z
current
2017-08-08T13:27:51Z
2017-08-08T13:27:51Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for python-tablib
This update for python-tablib fixes the following issues:
- CVE-2017-2810: Use yaml.safe_load and yaml.safe_dump to avoid executing code when importing data (bsc#1044329)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-OpenStack-Cloud-6-2017-1306,SUSE-OpenStack-Cloud-7-2017-1306,SUSE-SLE-Module-Public-Cloud-12-2017-1306
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2017/suse-su-20172105-1/
Link for SUSE-SU-2017:2105-1
https://lists.suse.com/pipermail/sle-security-updates/2017-August/003121.html
E-Mail link for SUSE-SU-2017:2105-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1044329
SUSE Bug 1044329
https://www.suse.com/security/cve/CVE-2017-2810/
SUSE CVE CVE-2017-2810 page
SUSE Linux Enterprise Module for Public Cloud 12
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 7
python-tablib-0.9.11-3.1
python-tablib-0.9.11-3.1 as a component of SUSE Linux Enterprise Module for Public Cloud 12
python-tablib-0.9.11-3.1 as a component of SUSE OpenStack Cloud 6
python-tablib-0.9.11-3.1 as a component of SUSE OpenStack Cloud 7
An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.
CVE-2017-2810
SUSE Linux Enterprise Module for Public Cloud 12:python-tablib-0.9.11-3.1
SUSE OpenStack Cloud 6:python-tablib-0.9.11-3.1
SUSE OpenStack Cloud 7:python-tablib-0.9.11-3.1
moderate
7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172105-1/
https://www.suse.com/security/cve/CVE-2017-2810.html
CVE-2017-2810
https://bugzilla.suse.com/1044329
SUSE Bug 1044329