Security update for python3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2120-1 Final 1 1 2016-08-19T13:16:58Z current 2016-08-19T13:16:58Z 2016-08-19T13:16:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 fixes the following issues: - apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header (fixes boo#989523, CVE-2016-1000110) - update to 3.4.5 check: https://docs.python.org/3.4/whatsnew/changelog.html (fixes boo#984751, CVE-2016-0772) (fixes boo#985177, CVE-2016-5636) (fixes boo#985348, CVE-2016-5699) - Bump DH parameters to 2048 bit to fix logjam security issue. boo#935856 - apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header: (fixes boo#989523, CVE-2016-1000110) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html E-Mail link for openSUSE-SU-2016:2120-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libpython3_4m1_0-3.4.5-8.1 libpython3_4m1_0-32bit-3.4.5-8.1 python3-3.4.5-8.1 python3-32bit-3.4.5-8.1 python3-base-3.4.5-8.1 python3-base-32bit-3.4.5-8.1 python3-curses-3.4.5-8.1 python3-dbm-3.4.5-8.1 python3-devel-3.4.5-8.1 python3-doc-3.4.5-8.1 python3-doc-pdf-3.4.5-8.1 python3-idle-3.4.5-8.1 python3-testsuite-3.4.5-8.1 python3-tk-3.4.5-8.1 python3-tools-3.4.5-8.1 libpython3_4m1_0-3.4.5-8.1 as a component of openSUSE Leap 42.1 libpython3_4m1_0-32bit-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-32bit-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-base-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-base-32bit-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-curses-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-dbm-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-devel-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-doc-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-doc-pdf-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-idle-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-testsuite-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-tk-3.4.5-8.1 as a component of openSUSE Leap 42.1 python3-tools-3.4.5-8.1 as a component of openSUSE Leap 42.1 The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. CVE-2014-4650 openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1 openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-3.4.5-8.1 openSUSE Leap 42.1:python3-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-base-3.4.5-8.1 openSUSE Leap 42.1:python3-base-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-curses-3.4.5-8.1 openSUSE Leap 42.1:python3-dbm-3.4.5-8.1 openSUSE Leap 42.1:python3-devel-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-pdf-3.4.5-8.1 openSUSE Leap 42.1:python3-idle-3.4.5-8.1 openSUSE Leap 42.1:python3-testsuite-3.4.5-8.1 openSUSE Leap 42.1:python3-tk-3.4.5-8.1 openSUSE Leap 42.1:python3-tools-3.4.5-8.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html https://www.suse.com/security/cve/CVE-2014-4650.html CVE-2014-4650 https://bugzilla.suse.com/856835 SUSE Bug 856835 https://bugzilla.suse.com/856836 SUSE Bug 856836 https://bugzilla.suse.com/863741 SUSE Bug 863741 https://bugzilla.suse.com/885882 SUSE Bug 885882 https://bugzilla.suse.com/898572 SUSE Bug 898572 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2016-0772 openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1 openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-3.4.5-8.1 openSUSE Leap 42.1:python3-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-base-3.4.5-8.1 openSUSE Leap 42.1:python3-base-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-curses-3.4.5-8.1 openSUSE Leap 42.1:python3-dbm-3.4.5-8.1 openSUSE Leap 42.1:python3-devel-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-pdf-3.4.5-8.1 openSUSE Leap 42.1:python3-idle-3.4.5-8.1 openSUSE Leap 42.1:python3-testsuite-3.4.5-8.1 openSUSE Leap 42.1:python3-tk-3.4.5-8.1 openSUSE Leap 42.1:python3-tools-3.4.5-8.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html https://www.suse.com/security/cve/CVE-2016-0772.html CVE-2016-0772 https://bugzilla.suse.com/984751 SUSE Bug 984751 The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. CVE-2016-1000110 openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1 openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-3.4.5-8.1 openSUSE Leap 42.1:python3-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-base-3.4.5-8.1 openSUSE Leap 42.1:python3-base-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-curses-3.4.5-8.1 openSUSE Leap 42.1:python3-dbm-3.4.5-8.1 openSUSE Leap 42.1:python3-devel-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-pdf-3.4.5-8.1 openSUSE Leap 42.1:python3-idle-3.4.5-8.1 openSUSE Leap 42.1:python3-testsuite-3.4.5-8.1 openSUSE Leap 42.1:python3-tk-3.4.5-8.1 openSUSE Leap 42.1:python3-tools-3.4.5-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html https://www.suse.com/security/cve/CVE-2016-1000110.html CVE-2016-1000110 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/989523 SUSE Bug 989523 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5636 openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1 openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-3.4.5-8.1 openSUSE Leap 42.1:python3-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-base-3.4.5-8.1 openSUSE Leap 42.1:python3-base-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-curses-3.4.5-8.1 openSUSE Leap 42.1:python3-dbm-3.4.5-8.1 openSUSE Leap 42.1:python3-devel-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-pdf-3.4.5-8.1 openSUSE Leap 42.1:python3-idle-3.4.5-8.1 openSUSE Leap 42.1:python3-testsuite-3.4.5-8.1 openSUSE Leap 42.1:python3-tk-3.4.5-8.1 openSUSE Leap 42.1:python3-tools-3.4.5-8.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html https://www.suse.com/security/cve/CVE-2016-5636.html CVE-2016-5636 https://bugzilla.suse.com/1065451 SUSE Bug 1065451 https://bugzilla.suse.com/1095424 SUSE Bug 1095424 https://bugzilla.suse.com/1106262 SUSE Bug 1106262 https://bugzilla.suse.com/985177 SUSE Bug 985177 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 openSUSE Leap 42.1:libpython3_4m1_0-3.4.5-8.1 openSUSE Leap 42.1:libpython3_4m1_0-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-3.4.5-8.1 openSUSE Leap 42.1:python3-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-base-3.4.5-8.1 openSUSE Leap 42.1:python3-base-32bit-3.4.5-8.1 openSUSE Leap 42.1:python3-curses-3.4.5-8.1 openSUSE Leap 42.1:python3-dbm-3.4.5-8.1 openSUSE Leap 42.1:python3-devel-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-3.4.5-8.1 openSUSE Leap 42.1:python3-doc-pdf-3.4.5-8.1 openSUSE Leap 42.1:python3-idle-3.4.5-8.1 openSUSE Leap 42.1:python3-testsuite-3.4.5-8.1 openSUSE Leap 42.1:python3-tk-3.4.5-8.1 openSUSE Leap 42.1:python3-tools-3.4.5-8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00089.html https://www.suse.com/security/cve/CVE-2016-5699.html CVE-2016-5699 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/985351 SUSE Bug 985351 https://bugzilla.suse.com/986630 SUSE Bug 986630