Security update for python SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1885-1 Final 1 1 2016-07-27T13:25:50Z current 2016-07-27T13:25:50Z 2016-07-27T13:25:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python Python was updated to fix three security issues. The following vulnerabilities were fixed: - CVE-2016-0772: TLS stripping attack on smtplib (bsc#984751) - CVE-2016-5636: zipimporter heap overflow (bsc#985177) - CVE-2016-5699: httplib header injection (bsc#985348) This update also includes all upstream bug fixes and improvements in Python 2.7.12. It also includes the following packaging changes: - reintroduce support for CA directory path The following tracked packaging issues were fixed: - broken overflow checks (bsc#964182) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-07/msg00084.html E-Mail link for openSUSE-SU-2016:1885-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libpython2_7-1_0-2.7.12-23.1 libpython2_7-1_0-32bit-2.7.12-23.1 python-2.7.12-23.1 python-32bit-2.7.12-23.1 python-base-2.7.12-23.1 python-base-32bit-2.7.12-23.1 python-curses-2.7.12-23.1 python-demo-2.7.12-23.1 python-devel-2.7.12-23.1 python-doc-2.7.12-23.1 python-doc-pdf-2.7.12-23.1 python-gdbm-2.7.12-23.1 python-idle-2.7.12-23.1 python-tk-2.7.12-23.1 python-xml-2.7.12-23.1 libpython2_7-1_0-2.7.12-23.1 as a component of openSUSE Leap 42.1 libpython2_7-1_0-32bit-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-32bit-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-base-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-base-32bit-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-curses-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-demo-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-devel-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-doc-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-doc-pdf-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-gdbm-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-idle-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-tk-2.7.12-23.1 as a component of openSUSE Leap 42.1 python-xml-2.7.12-23.1 as a component of openSUSE Leap 42.1 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2016-0772 openSUSE Leap 42.1:libpython2_7-1_0-2.7.12-23.1 openSUSE Leap 42.1:libpython2_7-1_0-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-2.7.12-23.1 openSUSE Leap 42.1:python-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-base-2.7.12-23.1 openSUSE Leap 42.1:python-base-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-curses-2.7.12-23.1 openSUSE Leap 42.1:python-demo-2.7.12-23.1 openSUSE Leap 42.1:python-devel-2.7.12-23.1 openSUSE Leap 42.1:python-doc-2.7.12-23.1 openSUSE Leap 42.1:python-doc-pdf-2.7.12-23.1 openSUSE Leap 42.1:python-gdbm-2.7.12-23.1 openSUSE Leap 42.1:python-idle-2.7.12-23.1 openSUSE Leap 42.1:python-tk-2.7.12-23.1 openSUSE Leap 42.1:python-xml-2.7.12-23.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-07/msg00084.html https://www.suse.com/security/cve/CVE-2016-0772.html CVE-2016-0772 https://bugzilla.suse.com/984751 SUSE Bug 984751 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5636 openSUSE Leap 42.1:libpython2_7-1_0-2.7.12-23.1 openSUSE Leap 42.1:libpython2_7-1_0-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-2.7.12-23.1 openSUSE Leap 42.1:python-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-base-2.7.12-23.1 openSUSE Leap 42.1:python-base-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-curses-2.7.12-23.1 openSUSE Leap 42.1:python-demo-2.7.12-23.1 openSUSE Leap 42.1:python-devel-2.7.12-23.1 openSUSE Leap 42.1:python-doc-2.7.12-23.1 openSUSE Leap 42.1:python-doc-pdf-2.7.12-23.1 openSUSE Leap 42.1:python-gdbm-2.7.12-23.1 openSUSE Leap 42.1:python-idle-2.7.12-23.1 openSUSE Leap 42.1:python-tk-2.7.12-23.1 openSUSE Leap 42.1:python-xml-2.7.12-23.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-07/msg00084.html https://www.suse.com/security/cve/CVE-2016-5636.html CVE-2016-5636 https://bugzilla.suse.com/1065451 SUSE Bug 1065451 https://bugzilla.suse.com/1095424 SUSE Bug 1095424 https://bugzilla.suse.com/1106262 SUSE Bug 1106262 https://bugzilla.suse.com/985177 SUSE Bug 985177 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 openSUSE Leap 42.1:libpython2_7-1_0-2.7.12-23.1 openSUSE Leap 42.1:libpython2_7-1_0-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-2.7.12-23.1 openSUSE Leap 42.1:python-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-base-2.7.12-23.1 openSUSE Leap 42.1:python-base-32bit-2.7.12-23.1 openSUSE Leap 42.1:python-curses-2.7.12-23.1 openSUSE Leap 42.1:python-demo-2.7.12-23.1 openSUSE Leap 42.1:python-devel-2.7.12-23.1 openSUSE Leap 42.1:python-doc-2.7.12-23.1 openSUSE Leap 42.1:python-doc-pdf-2.7.12-23.1 openSUSE Leap 42.1:python-gdbm-2.7.12-23.1 openSUSE Leap 42.1:python-idle-2.7.12-23.1 openSUSE Leap 42.1:python-tk-2.7.12-23.1 openSUSE Leap 42.1:python-xml-2.7.12-23.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-07/msg00084.html https://www.suse.com/security/cve/CVE-2016-5699.html CVE-2016-5699 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/985351 SUSE Bug 985351 https://bugzilla.suse.com/986630 SUSE Bug 986630