Security update for python SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2393-1 Final 1 1 2019-10-27T19:22:28Z current 2019-10-27T19:22:28Z 2019-10-27T19:22:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python This update for python fixes the following issues: Security issues fixed: - CVE-2019-9947: Fixed an insufficient validation of URL paths with embedded whitespace or control characters that could allow HTTP header injections. (bsc#1130840) - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2393 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7/#DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7 E-Mail link for openSUSE-SU-2019:2393-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1149955 SUSE Bug 1149955 https://bugzilla.suse.com/1153238 SUSE Bug 1153238 https://www.suse.com/security/cve/CVE-2019-16056/ SUSE CVE CVE-2019-16056 page https://www.suse.com/security/cve/CVE-2019-16935/ SUSE CVE CVE-2019-16935 page https://www.suse.com/security/cve/CVE-2019-9947/ SUSE CVE CVE-2019-9947 page openSUSE Leap 15.1 libpython2_7-1_0-2.7.14-lp151.10.10.2 libpython2_7-1_0-32bit-2.7.14-lp151.10.10.2 python-2.7.14-lp151.10.10.1 python-32bit-2.7.14-lp151.10.10.1 python-base-2.7.14-lp151.10.10.2 python-base-32bit-2.7.14-lp151.10.10.2 python-curses-2.7.14-lp151.10.10.1 python-demo-2.7.14-lp151.10.10.1 python-devel-2.7.14-lp151.10.10.2 python-doc-2.7.14-lp151.10.10.1 python-doc-pdf-2.7.14-lp151.10.10.1 python-gdbm-2.7.14-lp151.10.10.1 python-idle-2.7.14-lp151.10.10.1 python-tk-2.7.14-lp151.10.10.1 python-xml-2.7.14-lp151.10.10.2 libpython2_7-1_0-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 libpython2_7-1_0-32bit-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 python-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-32bit-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-base-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 python-base-32bit-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 python-curses-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-demo-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-devel-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 python-doc-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-doc-pdf-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-gdbm-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-idle-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-tk-2.7.14-lp151.10.10.1 as a component of openSUSE Leap 15.1 python-xml-2.7.14-lp151.10.10.2 as a component of openSUSE Leap 15.1 An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. CVE-2019-16056 openSUSE Leap 15.1:libpython2_7-1_0-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:libpython2_7-1_0-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-32bit-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-base-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-base-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-curses-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-demo-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-devel-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-doc-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-doc-pdf-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-gdbm-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-idle-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-tk-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-xml-2.7.14-lp151.10.10.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7/#DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7 https://www.suse.com/security/cve/CVE-2019-16056.html CVE-2019-16056 https://bugzilla.suse.com/1149955 SUSE Bug 1149955 The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-16935 openSUSE Leap 15.1:libpython2_7-1_0-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:libpython2_7-1_0-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-32bit-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-base-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-base-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-curses-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-demo-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-devel-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-doc-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-doc-pdf-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-gdbm-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-idle-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-tk-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-xml-2.7.14-lp151.10.10.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7/#DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7 https://www.suse.com/security/cve/CVE-2019-16935.html CVE-2019-16935 https://bugzilla.suse.com/1153238 SUSE Bug 1153238 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9947 openSUSE Leap 15.1:libpython2_7-1_0-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:libpython2_7-1_0-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-32bit-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-base-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-base-32bit-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-curses-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-demo-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-devel-2.7.14-lp151.10.10.2 openSUSE Leap 15.1:python-doc-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-doc-pdf-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-gdbm-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-idle-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-tk-2.7.14-lp151.10.10.1 openSUSE Leap 15.1:python-xml-2.7.14-lp151.10.10.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7/#DUNCE6TBYMZ75QK6G6S6XVUETIWV7IX7 https://www.suse.com/security/cve/CVE-2019-9947.html CVE-2019-9947 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1136184 SUSE Bug 1136184 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 https://bugzilla.suse.com/1201559 SUSE Bug 1201559