Security update for python SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0696-1 Final 1 1 2020-05-22T18:14:14Z current 2020-05-22T18:14:14Z 2020-05-22T18:14:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python This update for python fixes the following issues: Security issues fixed: - CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094). - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-696 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CLCTOYU6GVRRH3LEOSXEYTZNQQGAPQSM/ E-Mail link for openSUSE-SU-2020:0696-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1155094 SUSE Bug 1155094 https://bugzilla.suse.com/1162825 SUSE Bug 1162825 https://www.suse.com/security/cve/CVE-2019-18348/ SUSE CVE CVE-2019-18348 page https://www.suse.com/security/cve/CVE-2019-9674/ SUSE CVE CVE-2019-9674 page openSUSE Leap 15.1 libpython2_7-1_0-2.7.17-lp151.10.17.1 libpython2_7-1_0-32bit-2.7.17-lp151.10.17.1 python-2.7.17-lp151.10.17.1 python-32bit-2.7.17-lp151.10.17.1 python-base-2.7.17-lp151.10.17.1 python-base-32bit-2.7.17-lp151.10.17.1 python-curses-2.7.17-lp151.10.17.1 python-demo-2.7.17-lp151.10.17.1 python-devel-2.7.17-lp151.10.17.1 python-doc-2.7.17-lp151.10.17.1 python-doc-pdf-2.7.17-lp151.10.17.1 python-gdbm-2.7.17-lp151.10.17.1 python-idle-2.7.17-lp151.10.17.1 python-tk-2.7.17-lp151.10.17.1 python-xml-2.7.17-lp151.10.17.1 libpython2_7-1_0-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 libpython2_7-1_0-32bit-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-32bit-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-base-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-base-32bit-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-curses-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-demo-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-devel-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-doc-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-doc-pdf-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-gdbm-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-idle-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-tk-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 python-xml-2.7.17-lp151.10.17.1 as a component of openSUSE Leap 15.1 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1. CVE-2019-18348 openSUSE Leap 15.1:libpython2_7-1_0-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:libpython2_7-1_0-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-base-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-base-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-curses-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-demo-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-devel-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-doc-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-doc-pdf-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-gdbm-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-idle-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-tk-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-xml-2.7.17-lp151.10.17.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CLCTOYU6GVRRH3LEOSXEYTZNQQGAPQSM/ https://www.suse.com/security/cve/CVE-2019-18348.html CVE-2019-18348 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. CVE-2019-9674 openSUSE Leap 15.1:libpython2_7-1_0-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:libpython2_7-1_0-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-base-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-base-32bit-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-curses-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-demo-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-devel-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-doc-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-doc-pdf-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-gdbm-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-idle-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-tk-2.7.17-lp151.10.17.1 openSUSE Leap 15.1:python-xml-2.7.17-lp151.10.17.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CLCTOYU6GVRRH3LEOSXEYTZNQQGAPQSM/ https://www.suse.com/security/cve/CVE-2019-9674.html CVE-2019-9674 https://bugzilla.suse.com/1162825 SUSE Bug 1162825