Security update for python-nltk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0436-1 Final 1 1 2020-03-31T14:23:34Z current 2020-03-31T14:23:34Z 2020-03-31T14:23:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-nltk This update for python-nltk fixes the following issues: Update to 3.4.5 (boo#1146427, CVE-2019-14751): * CVE-2019-14751: Fixed Zip slip vulnerability in downloader for the unlikely situation where a user configures their downloader to use a compromised server (boo#1146427) Update to 3.4.4: * fix bug in plot function (probability.py) * add improved PanLex Swadesh corpus reader * add Text.generate() * add QuadgramAssocMeasures * add SSP to tokenizers * return confidence of best tag from AveragedPerceptron * make plot methods return Axes objects * don't require list arguments to PositiveNaiveBayesClassifier.train * fix Tree classes to work with native Python copy library * fix inconsistency for NomBank * fix random seeding in LanguageModel.generate * fix ConditionalFreqDist mutation on tabulate/plot call * fix broken links in documentation * fix misc Wordnet issues * update installation instructions Version update to 3.4.1: * add chomsky_normal_form for CFGs * add meteor score * add minimum edit/Levenshtein distance based alignment function * allow access to collocation list via text.collocation_list() * support corenlp server options * drop support for Python 3.4 * other minor fixes Update to v3.4: * Support Python 3.7 * New Language Modeling package * Cistem Stemmer for German * Support Russian National Corpus incl POS tag model * Krippendorf Alpha inter-rater reliability test * Comprehensive code clean-ups * Switch continuous integration from Jenkins to Travis Updated to v3.3: * Support Python 3.6 * New interface to CoreNLP * Support synset retrieval by sense key * Minor fixes to CoNLL Corpus Reader * AlignedSent * Fixed minor inconsistencies in APIs and API documentation * Better conformance to PEP8 * Drop Moses Tokenizer (incompatible license) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-436 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ6ZSSQHXJZYKCAD25PTWOW4FERVCB35/ E-Mail link for openSUSE-SU-2020:0436-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1146427 SUSE Bug 1146427 https://www.suse.com/security/cve/CVE-2019-14751/ SUSE CVE CVE-2019-14751 page openSUSE Leap 15.1 python2-nltk-3.4.5-lp151.4.3.1 python3-nltk-3.4.5-lp151.4.3.1 python2-nltk-3.4.5-lp151.4.3.1 as a component of openSUSE Leap 15.1 python3-nltk-3.4.5-lp151.4.3.1 as a component of openSUSE Leap 15.1 NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. CVE-2019-14751 openSUSE Leap 15.1:python2-nltk-3.4.5-lp151.4.3.1 openSUSE Leap 15.1:python3-nltk-3.4.5-lp151.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQ6ZSSQHXJZYKCAD25PTWOW4FERVCB35/ https://www.suse.com/security/cve/CVE-2019-14751.html CVE-2019-14751 https://bugzilla.suse.com/1146427 SUSE Bug 1146427