Security update for python3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0155-1 Final 1 1 2019-03-23T10:55:06Z current 2019-03-23T10:55:06Z 2019-03-23T10:55:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-155 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL/#NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL E-Mail link for openSUSE-SU-2019:0155-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1120644 SUSE Bug 1120644 https://bugzilla.suse.com/1122191 SUSE Bug 1122191 https://www.suse.com/security/cve/CVE-2018-20406/ SUSE CVE CVE-2018-20406 page https://www.suse.com/security/cve/CVE-2019-5010/ SUSE CVE CVE-2019-5010 page openSUSE Leap 15.0 libpython3_6m1_0-3.6.5-lp150.2.6.1 libpython3_6m1_0-32bit-3.6.5-lp150.2.6.1 python3-3.6.5-lp150.2.6.1 python3-32bit-3.6.5-lp150.2.6.1 python3-base-3.6.5-lp150.2.6.1 python3-base-32bit-3.6.5-lp150.2.6.1 python3-curses-3.6.5-lp150.2.6.1 python3-dbm-3.6.5-lp150.2.6.1 python3-devel-3.6.5-lp150.2.6.1 python3-doc-3.6.5-lp150.2.6.1 python3-idle-3.6.5-lp150.2.6.1 python3-testsuite-3.6.5-lp150.2.6.1 python3-tk-3.6.5-lp150.2.6.1 python3-tools-3.6.5-lp150.2.6.1 libpython3_6m1_0-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 libpython3_6m1_0-32bit-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-32bit-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-base-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-base-32bit-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-curses-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-dbm-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-devel-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-doc-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-idle-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-testsuite-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-tk-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 python3-tools-3.6.5-lp150.2.6.1 as a component of openSUSE Leap 15.0 Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2018-20406 openSUSE Leap 15.0:libpython3_6m1_0-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:libpython3_6m1_0-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-base-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-base-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-curses-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-dbm-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-devel-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-doc-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-idle-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-testsuite-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-tk-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-tools-3.6.5-lp150.2.6.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL/#NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL https://www.suse.com/security/cve/CVE-2018-20406.html CVE-2018-20406 https://bugzilla.suse.com/1120644 SUSE Bug 1120644 An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. CVE-2019-5010 openSUSE Leap 15.0:libpython3_6m1_0-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:libpython3_6m1_0-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-base-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-base-32bit-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-curses-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-dbm-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-devel-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-doc-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-idle-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-testsuite-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-tk-3.6.5-lp150.2.6.1 openSUSE Leap 15.0:python3-tools-3.6.5-lp150.2.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL/#NY6OZIHZM76MZKDRQYP5AGGMPDVFH6AL https://www.suse.com/security/cve/CVE-2019-5010.html CVE-2019-5010 https://bugzilla.suse.com/1122191 SUSE Bug 1122191 https://bugzilla.suse.com/1126909 SUSE Bug 1126909