Security update for python3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2438-1 Final 1 1 2019-11-05T15:31:23Z current 2019-11-05T15:31:23Z 2019-11-05T15:31:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2438 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html E-Mail link for openSUSE-SU-2019:2438-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1149121 SUSE Bug 1149121 https://bugzilla.suse.com/1149792 SUSE Bug 1149792 https://bugzilla.suse.com/1149955 SUSE Bug 1149955 https://bugzilla.suse.com/1151490 SUSE Bug 1151490 https://bugzilla.suse.com/1153238 SUSE Bug 1153238 https://www.suse.com/security/cve/CVE-2019-16056/ SUSE CVE CVE-2019-16056 page https://www.suse.com/security/cve/CVE-2019-16935/ SUSE CVE CVE-2019-16935 page openSUSE Leap 15.1 libpython3_6m1_0-3.6.9-lp151.6.4.1 libpython3_6m1_0-32bit-3.6.9-lp151.6.4.1 python3-3.6.9-lp151.6.4.1 python3-32bit-3.6.9-lp151.6.4.1 python3-base-3.6.9-lp151.6.4.1 python3-base-32bit-3.6.9-lp151.6.4.1 python3-curses-3.6.9-lp151.6.4.1 python3-dbm-3.6.9-lp151.6.4.1 python3-devel-3.6.9-lp151.6.4.1 python3-idle-3.6.9-lp151.6.4.1 python3-testsuite-3.6.9-lp151.6.4.1 python3-tk-3.6.9-lp151.6.4.1 python3-tools-3.6.9-lp151.6.4.1 libpython3_6m1_0-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 libpython3_6m1_0-32bit-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-32bit-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-base-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-base-32bit-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-curses-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-dbm-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-devel-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-idle-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-testsuite-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-tk-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 python3-tools-3.6.9-lp151.6.4.1 as a component of openSUSE Leap 15.1 An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. CVE-2019-16056 openSUSE Leap 15.1:libpython3_6m1_0-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:libpython3_6m1_0-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-base-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-base-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-curses-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-dbm-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-devel-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-idle-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-testsuite-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-tk-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-tools-3.6.9-lp151.6.4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html https://www.suse.com/security/cve/CVE-2019-16056.html CVE-2019-16056 https://bugzilla.suse.com/1149955 SUSE Bug 1149955 The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-16935 openSUSE Leap 15.1:libpython3_6m1_0-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:libpython3_6m1_0-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-base-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-base-32bit-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-curses-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-dbm-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-devel-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-idle-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-testsuite-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-tk-3.6.9-lp151.6.4.1 openSUSE Leap 15.1:python3-tools-3.6.9-lp151.6.4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html https://www.suse.com/security/cve/CVE-2019-16935.html CVE-2019-16935 https://bugzilla.suse.com/1153238 SUSE Bug 1153238