Security update for python-zipp SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2397-1 Final 1 1 2024-07-11T02:04:34Z current 2024-07-11T02:04:34Z 2024-07-11T02:04:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-zipp This update for python-zipp fixes the following issues: - CVE-2024-5569: Fixed DoS vulnerability when processing a specially crafted zip file (bsc#1227547). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/open-webui:0-2024-2397,Image SLES15-SP6-Azure-Basic-2024-2397,Image SLES15-SP6-Azure-Standard-2024-2397,Image SLES15-SP6-BYOS-Azure-2024-2397,Image SLES15-SP6-HPC-2024-2397,Image SLES15-SP6-HPC-Azure-2024-2397,Image SLES15-SP6-HPC-BYOS-Azure-2024-2397,Image SLES15-SP6-Hardened-BYOS-Azure-2024-2397,Image SLES15-SP6-SAP-Azure-2024-2397,Image SLES15-SP6-SAP-BYOS-Azure-2024-2397,Image SLES15-SP6-SAP-Hardened-2024-2397,Image SLES15-SP6-SAP-Hardened-Azure-2024-2397,Image SLES15-SP6-SAP-Hardened-BYOS-Azure-2024-2397,Image SLES15-SP6-SAPCAL-Azure-2024-2397,SUSE-2024-2397,SUSE-SLE-Module-Python3-15-SP6-2024-2397,openSUSE-SLE-15.6-2024-2397 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242397-1/ Link for SUSE-SU-2024:2397-1 https://lists.suse.com/pipermail/sle-updates/2024-July/035932.html E-Mail link for SUSE-SU-2024:2397-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227547 SUSE Bug 1227547 https://www.suse.com/security/cve/CVE-2024-5569/ SUSE CVE CVE-2024-5569 page Container containers/open-webui:0 Image SLES15-SP6-Azure-Basic Image SLES15-SP6-Azure-Standard Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-HPC Image SLES15-SP6-HPC-Azure Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-BYOS-Azure Image SLES15-SP6-SAP-Hardened Image SLES15-SP6-SAP-Hardened-Azure Image SLES15-SP6-SAP-Hardened-BYOS-Azure Image SLES15-SP6-SAPCAL-Azure SUSE Linux Enterprise Module for Python 3 15 SP6 openSUSE Leap 15.6 python311-zipp-3.17.0-150600.3.3.1 python311-zipp-3.17.0-150600.3.3.1 as a component of Container containers/open-webui:0 python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-Azure-Basic python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-Azure-Standard python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-BYOS-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-HPC python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-HPC-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-HPC-BYOS-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-Hardened-BYOS-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAP-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAP-BYOS-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAP-Hardened python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAP-Hardened-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAP-Hardened-BYOS-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of Image SLES15-SP6-SAPCAL-Azure python311-zipp-3.17.0-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 python311-zipp-3.17.0-150600.3.3.1 as a component of openSUSE Leap 15.6 A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp. CVE-2024-5569 Container containers/open-webui:0:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-Azure-Basic:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-Azure-Standard:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-BYOS-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-HPC-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-HPC-BYOS-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-HPC:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-Hardened-BYOS-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAP-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAP-BYOS-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAP-Hardened-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAP-Hardened-BYOS-Azure:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAP-Hardened:python311-zipp-3.17.0-150600.3.3.1 Image SLES15-SP6-SAPCAL-Azure:python311-zipp-3.17.0-150600.3.3.1 SUSE Linux Enterprise Module for Python 3 15 SP6:python311-zipp-3.17.0-150600.3.3.1 openSUSE Leap 15.6:python311-zipp-3.17.0-150600.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242397-1/ https://www.suse.com/security/cve/CVE-2024-5569.html CVE-2024-5569 https://bugzilla.suse.com/1227547 SUSE Bug 1227547