Security update for python-nltk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10040-1 Final 1 1 2022-07-03T14:01:14Z current 2022-07-03T14:01:14Z 2022-07-03T14:01:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-nltk This update for python-nltk fixes the following issues: Update to 3.7 - Improve and update the NLTK team page on nltk.org (#2855, #2941) - Drop support for Python 3.6, support Python 3.10 (#2920) - Update to 3.6.7 - Resolve IndexError in `sent_tokenize` and `word_tokenize` (#2922) - Update to 3.6.6 - Refactor `gensim.doctest` to work for gensim 4.0.0 and up (#2914) - Add Precision, Recall, F-measure, Confusion Matrix to Taggers (#2862) - Added warnings if .zip files exist without any corresponding .csv files. (#2908) - Fix `FileNotFoundError` when the `download_dir` is a non-existing nested folder (#2910) - Rename omw to omw-1.4 (#2907) - Resolve ReDoS opportunity by fixing incorrectly specified regex (#2906, boo#1191030, CVE-2021-3828). - Support OMW 1.4 (#2899) - Deprecate Tree get and set node methods (#2900) - Fix broken inaugural test case (#2903) - Use Multilingual Wordnet Data from OMW with newer Wordnet versions (#2889) - Keep NLTKs 'tokenize' module working with pathlib (#2896) - Make prettyprinter to be more readable (#2893) - Update links to the nltk book (#2895) - Add `CITATION.cff` to nltk (#2880) - Resolve serious ReDoS in PunktSentenceTokenizer (#2869) - Delete old CI config files (#2881) - Improve Tokenize documentation + add TokenizerI as superclass for TweetTokenizer (#2878) - Fix expected value for BLEU score doctest after changes from #2572 - Add multi Bleu functionality and tests (#2793) - Deprecate 'return_str' parameter in NLTKWordTokenizer and TreebankWordTokenizer (#2883) - Allow empty string in CFG's + more (#2888) - Partition `tree.py` module into `tree` package + pickle fix (#2863) - Fix several TreebankWordTokenizer and NLTKWordTokenizer bugs (#2877) - Rewind Wordnet data file after each lookup (#2868) - Correct __init__ call for SyntaxCorpusReader subclasses (#2872) - Documentation fixes (#2873) - Fix levenstein distance for duplicated letters (#2849) - Support alternative Wordnet versions (#2860) - Remove hundreds of formatting warnings for nltk.org (#2859) - Modernize `nltk.org/howto` pages (#2856) - Fix Bleu Score smoothing function from taking log(0) (#2839) - Update third party tools to newer versions and removing MaltParser fixed version (#2832) - Fix TypeError: _pretty() takes 1 positional argument but 2 were given in sem/drt.py (#2854) - Replace `http` with `https` in most URLs (#2852) - Update to 3.6.5 - modernised nltk.org website - addressed LGTM.com issues - support ZWJ sequences emoji and skin tone modifer emoji in TweetTokenizer - METEOR evaluation now requires pre-tokenized input - Code linting and type hinting - implement get_refs function for DrtLambdaExpression - Enable automated CoreNLP, Senna, Prover9/Mace4, Megam, MaltParser CI tests - specify minimum regex version that supports regex.Pattern - avoid re.Pattern and regex.Pattern which fail for Python 3.6, 3.7 - Update to 3.6.4 - deprecate `nltk.usage(obj)` in favor of `help(obj)` - resolve ReDoS vulnerability in Corpus Reader - solidify performance tests - improve phone number recognition in tweet tokenizer - refactored CISTEM stemmer for German - identify NLTK Team as the author - replace travis badge with github actions badge - add SECURITY.md - Update to 3.6.3 - Dropped support for Python 3.5 - Run CI tests on Windows, too - Moved from Travis CI to GitHub Actions - Code and comment cleanups - Visualize WordNet relation graphs using Graphviz - Fixed large error in METEOR score - Apply isort, pyupgrade, black, added as pre-commit hooks - Prevent debug_decisions in Punkt from throwing IndexError - Resolved ZeroDivisionError in RIBES with dissimilar sentences - Initialize WordNet IC total counts with smoothing value - Fixed AttributeError for Arabic ARLSTem2 stemmer - Many fixes and improvements to lm language model package - Fix bug in nltk.metrics.aline, C_skip = -10 - Improvements to TweetTokenizer - Optional show arg for FreqDist.plot, ConditionalFreqDist.plot - edit_distance now computes Damerau-Levenshtein edit-distance - Update to 3.6.2 - move test code to nltk/test - fix bug in NgramAssocMeasures (order preserving fix) - Update to 3.6 - add support for Python 3.9 - add Tree.fromlist - compute Minimum Spanning Tree of unweighted graph using BFS - fix bug with infinite loop in Wordnet closure and tree - fix bug in calculating BLEU using smoothing method 4 - Wordnet synset similarities work for all pos - new Arabic light stemmer (ARLSTem2) - new syllable tokenizer (LegalitySyllableTokenizer) - remove nose in favor of pytest - Update to v3.5 * add support for Python 3.8 * drop support for Python 2 * create NLTK's own Tokenizer class distinct from the Treebank reference tokeniser * update Vader sentiment analyser * fix JSON serialization of some PoS taggers * minor improvements in grammar.CFG, Vader, pl196x corpus reader, StringTokenizer * change implementation <= and >= for FreqDist so they are partial orders * make FreqDist iterable * correctly handle Penn Treebank trees with a unlabeled branching top node - Update to 3.4.5 (boo#1146427, CVE-2019-14751): The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10040 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/ E-Mail link for openSUSE-SU-2022:10040-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1146427 SUSE Bug 1146427 https://bugzilla.suse.com/1191030 SUSE Bug 1191030 https://www.suse.com/security/cve/CVE-2019-14751/ SUSE CVE CVE-2019-14751 page https://www.suse.com/security/cve/CVE-2021-3828/ SUSE CVE CVE-2021-3828 page SUSE Package Hub 15 SP2 python3-nltk-3.7-bp152.3.3.1 python3-nltk-3.7-bp152.3.3.1 as a component of SUSE Package Hub 15 SP2 NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. CVE-2019-14751 SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/ https://www.suse.com/security/cve/CVE-2019-14751.html CVE-2019-14751 https://bugzilla.suse.com/1146427 SUSE Bug 1146427 nltk is vulnerable to Inefficient Regular Expression Complexity CVE-2021-3828 SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/ https://www.suse.com/security/cve/CVE-2021-3828.html CVE-2021-3828 https://bugzilla.suse.com/1191030 SUSE Bug 1191030