Security update for python3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3760-1 Final 1 1 2024-10-28T03:33:33Z current 2024-10-28T03:33:33Z 2024-10-28T03:33:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 fixes the following issues: Security fixes: - CVE-2024-9287: properly quote path names provided when creating a virtual environment (bsc#1232241) Other fixes: - Drop .pyc files from docdir for reproducible builds (bsc#1230906) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3760,SUSE-SUSE-MicroOS-5.1-2024-3760 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243760-1/ Link for SUSE-SU-2024:3760-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019680.html E-Mail link for SUSE-SU-2024:3760-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230906 SUSE Bug 1230906 https://bugzilla.suse.com/1232241 SUSE Bug 1232241 https://www.suse.com/security/cve/CVE-2024-9287/ SUSE CVE CVE-2024-9287 page SUSE Linux Enterprise Micro 5.1 libpython3_6m1_0-3.6.15-150000.3.164.1 libpython3_6m1_0-32bit-3.6.15-150000.3.164.1 libpython3_6m1_0-64bit-3.6.15-150000.3.164.1 python3-3.6.15-150000.3.164.1 python3-base-3.6.15-150000.3.164.1 python3-curses-3.6.15-150000.3.164.1 python3-dbm-3.6.15-150000.3.164.1 python3-devel-3.6.15-150000.3.164.1 python3-doc-3.6.15-150000.3.164.1 python3-doc-devhelp-3.6.15-150000.3.164.1 python3-idle-3.6.15-150000.3.164.1 python3-testsuite-3.6.15-150000.3.164.1 python3-tk-3.6.15-150000.3.164.1 python3-tools-3.6.15-150000.3.164.1 libpython3_6m1_0-3.6.15-150000.3.164.1 as a component of SUSE Linux Enterprise Micro 5.1 python3-3.6.15-150000.3.164.1 as a component of SUSE Linux Enterprise Micro 5.1 python3-base-3.6.15-150000.3.164.1 as a component of SUSE Linux Enterprise Micro 5.1 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 SUSE Linux Enterprise Micro 5.1:libpython3_6m1_0-3.6.15-150000.3.164.1 SUSE Linux Enterprise Micro 5.1:python3-3.6.15-150000.3.164.1 SUSE Linux Enterprise Micro 5.1:python3-base-3.6.15-150000.3.164.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243760-1/ https://www.suse.com/security/cve/CVE-2024-9287.html CVE-2024-9287 https://bugzilla.suse.com/1232241 SUSE Bug 1232241