Security update for python SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0292-1 Final 1 1 2019-03-05T18:21:48Z current 2019-03-05T18:21:48Z 2019-03-05T18:21:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python This update for python fixes the following issues: Security issues fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191). - CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847). Non-security issue fixed: - Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748). This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00006.html E-Mail link for openSUSE-SU-2019:0292-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libpython2_7-1_0-2.7.13-27.12.1 libpython2_7-1_0-32bit-2.7.13-27.12.1 python-2.7.13-27.12.1 python-32bit-2.7.13-27.12.1 python-base-2.7.13-27.12.1 python-base-32bit-2.7.13-27.12.1 python-curses-2.7.13-27.12.1 python-demo-2.7.13-27.12.1 python-devel-2.7.13-27.12.1 python-doc-2.7.13-27.12.1 python-doc-pdf-2.7.13-27.12.1 python-gdbm-2.7.13-27.12.1 python-idle-2.7.13-27.12.1 python-tk-2.7.13-27.12.1 python-xml-2.7.13-27.12.1 libpython2_7-1_0-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 libpython2_7-1_0-32bit-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-32bit-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-base-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-base-32bit-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-curses-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-demo-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-devel-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-doc-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-doc-pdf-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-gdbm-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-idle-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-tk-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 python-xml-2.7.13-27.12.1 as a component of openSUSE Leap 42.3 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15. CVE-2018-14647 openSUSE Leap 42.3:libpython2_7-1_0-2.7.13-27.12.1 openSUSE Leap 42.3:libpython2_7-1_0-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-2.7.13-27.12.1 openSUSE Leap 42.3:python-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-base-2.7.13-27.12.1 openSUSE Leap 42.3:python-base-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-curses-2.7.13-27.12.1 openSUSE Leap 42.3:python-demo-2.7.13-27.12.1 openSUSE Leap 42.3:python-devel-2.7.13-27.12.1 openSUSE Leap 42.3:python-doc-2.7.13-27.12.1 openSUSE Leap 42.3:python-doc-pdf-2.7.13-27.12.1 openSUSE Leap 42.3:python-gdbm-2.7.13-27.12.1 openSUSE Leap 42.3:python-idle-2.7.13-27.12.1 openSUSE Leap 42.3:python-tk-2.7.13-27.12.1 openSUSE Leap 42.3:python-xml-2.7.13-27.12.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00006.html https://www.suse.com/security/cve/CVE-2018-14647.html CVE-2018-14647 https://bugzilla.suse.com/1109847 SUSE Bug 1109847 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. CVE-2019-5010 openSUSE Leap 42.3:libpython2_7-1_0-2.7.13-27.12.1 openSUSE Leap 42.3:libpython2_7-1_0-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-2.7.13-27.12.1 openSUSE Leap 42.3:python-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-base-2.7.13-27.12.1 openSUSE Leap 42.3:python-base-32bit-2.7.13-27.12.1 openSUSE Leap 42.3:python-curses-2.7.13-27.12.1 openSUSE Leap 42.3:python-demo-2.7.13-27.12.1 openSUSE Leap 42.3:python-devel-2.7.13-27.12.1 openSUSE Leap 42.3:python-doc-2.7.13-27.12.1 openSUSE Leap 42.3:python-doc-pdf-2.7.13-27.12.1 openSUSE Leap 42.3:python-gdbm-2.7.13-27.12.1 openSUSE Leap 42.3:python-idle-2.7.13-27.12.1 openSUSE Leap 42.3:python-tk-2.7.13-27.12.1 openSUSE Leap 42.3:python-xml-2.7.13-27.12.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00006.html https://www.suse.com/security/cve/CVE-2019-5010.html CVE-2019-5010 https://bugzilla.suse.com/1122191 SUSE Bug 1122191 https://bugzilla.suse.com/1126909 SUSE Bug 1126909