Security update for python SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1418-1 Final 1 1 2021-10-31T15:07:59Z current 2021-10-31T15:07:59Z 2021-10-31T15:07:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python This update for python fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1418 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7AF3KRDWJVTDRPTV5WLKDBFKVCOCN3FB/ E-Mail link for openSUSE-SU-2021:1418-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1189241 SUSE Bug 1189241 https://bugzilla.suse.com/1189287 SUSE Bug 1189287 https://www.suse.com/security/cve/CVE-2021-3733/ SUSE CVE CVE-2021-3733 page https://www.suse.com/security/cve/CVE-2021-3737/ SUSE CVE CVE-2021-3737 page openSUSE Leap 15.2 libpython2_7-1_0-2.7.18-lp152.3.21.1 libpython2_7-1_0-32bit-2.7.18-lp152.3.21.1 python-2.7.18-lp152.3.21.1 python-32bit-2.7.18-lp152.3.21.1 python-base-2.7.18-lp152.3.21.1 python-base-32bit-2.7.18-lp152.3.21.1 python-curses-2.7.18-lp152.3.21.1 python-demo-2.7.18-lp152.3.21.1 python-devel-2.7.18-lp152.3.21.1 python-doc-2.7.18-lp152.3.21.1 python-doc-pdf-2.7.18-lp152.3.21.1 python-gdbm-2.7.18-lp152.3.21.1 python-idle-2.7.18-lp152.3.21.1 python-tk-2.7.18-lp152.3.21.1 python-xml-2.7.18-lp152.3.21.1 libpython2_7-1_0-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 libpython2_7-1_0-32bit-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-32bit-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-base-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-base-32bit-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-curses-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-demo-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-devel-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-doc-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-doc-pdf-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-gdbm-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-idle-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-tk-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 python-xml-2.7.18-lp152.3.21.1 as a component of openSUSE Leap 15.2 There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. CVE-2021-3733 openSUSE Leap 15.2:libpython2_7-1_0-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:libpython2_7-1_0-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-base-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-base-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-curses-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-demo-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-devel-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-doc-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-doc-pdf-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-gdbm-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-idle-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-tk-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-xml-2.7.18-lp152.3.21.1 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7AF3KRDWJVTDRPTV5WLKDBFKVCOCN3FB/ https://www.suse.com/security/cve/CVE-2021-3733.html CVE-2021-3733 https://bugzilla.suse.com/1189287 SUSE Bug 1189287 A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. CVE-2021-3737 openSUSE Leap 15.2:libpython2_7-1_0-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:libpython2_7-1_0-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-base-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-base-32bit-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-curses-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-demo-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-devel-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-doc-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-doc-pdf-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-gdbm-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-idle-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-tk-2.7.18-lp152.3.21.1 openSUSE Leap 15.2:python-xml-2.7.18-lp152.3.21.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7AF3KRDWJVTDRPTV5WLKDBFKVCOCN3FB/ https://www.suse.com/security/cve/CVE-2021-3737.html CVE-2021-3737 https://bugzilla.suse.com/1189241 SUSE Bug 1189241