Security update for python3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2859-1 Final 1 1 2016-11-18T11:42:34Z current 2016-11-18T11:42:34Z 2016-11-18T11:42:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update provides Python 3.4.5, which brings many fixes and enhancements. The following security issues have been fixed: - CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment variable based on user supplied Proxy request header. (bsc#989523) - CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to perform a startTLS stripping attack. (bsc#984751) - CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177) - CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client. (bsc#985348) The update also includes the following non-security fixes: - Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement. (bsc#951166) - Make urllib proxy var handling behave as usual on POSIX. (bsc#983582) For a comprehensive list of changes please refer to the upstream change log: https://docs.python.org/3.4/whatsnew/changelog.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP2-2016-1676,SUSE-SLE-RPI-12-SP2-2016-1676,SUSE-SLE-SDK-12-SP2-2016-1676,SUSE-SLE-SERVER-12-SP2-2016-1676 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1/ Link for SUSE-SU-2016:2859-1 https://lists.suse.com/pipermail/sle-security-updates/2016-November/002407.html E-Mail link for SUSE-SU-2016:2859-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/951166 SUSE Bug 951166 https://bugzilla.suse.com/983582 SUSE Bug 983582 https://bugzilla.suse.com/984751 SUSE Bug 984751 https://bugzilla.suse.com/985177 SUSE Bug 985177 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/989523 SUSE Bug 989523 https://bugzilla.suse.com/991069 SUSE Bug 991069 https://www.suse.com/security/cve/CVE-2016-0772/ SUSE CVE CVE-2016-0772 page https://www.suse.com/security/cve/CVE-2016-1000110/ SUSE CVE CVE-2016-1000110 page https://www.suse.com/security/cve/CVE-2016-5636/ SUSE CVE CVE-2016-5636 page https://www.suse.com/security/cve/CVE-2016-5699/ SUSE CVE CVE-2016-5699 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP2 libpython3_4m1_0-3.4.5-19.1 python3-3.4.5-19.1 python3-base-3.4.5-19.1 python3-curses-3.4.5-19.1 python3-devel-3.4.5-19.1 libpython3_4m1_0-3.4.5-19.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 python3-3.4.5-19.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 python3-base-3.4.5-19.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 python3-curses-3.4.5-19.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libpython3_4m1_0-3.4.5-19.1 as a component of SUSE Linux Enterprise Server 12 SP2 python3-3.4.5-19.1 as a component of SUSE Linux Enterprise Server 12 SP2 python3-base-3.4.5-19.1 as a component of SUSE Linux Enterprise Server 12 SP2 python3-curses-3.4.5-19.1 as a component of SUSE Linux Enterprise Server 12 SP2 libpython3_4m1_0-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 python3-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 python3-base-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 python3-curses-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libpython3_4m1_0-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 python3-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 python3-base-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 python3-curses-3.4.5-19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 python3-devel-3.4.5-19.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2016-0772 SUSE Linux Enterprise Desktop 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Software Development Kit 12 SP2:python3-devel-3.4.5-19.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1/ https://www.suse.com/security/cve/CVE-2016-0772.html CVE-2016-0772 https://bugzilla.suse.com/984751 SUSE Bug 984751 The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests. CVE-2016-1000110 SUSE Linux Enterprise Desktop 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Software Development Kit 12 SP2:python3-devel-3.4.5-19.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1/ https://www.suse.com/security/cve/CVE-2016-1000110.html CVE-2016-1000110 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/989523 SUSE Bug 989523 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5636 SUSE Linux Enterprise Desktop 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Software Development Kit 12 SP2:python3-devel-3.4.5-19.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1/ https://www.suse.com/security/cve/CVE-2016-5636.html CVE-2016-5636 https://bugzilla.suse.com/1065451 SUSE Bug 1065451 https://bugzilla.suse.com/1106262 SUSE Bug 1106262 https://bugzilla.suse.com/985177 SUSE Bug 985177 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 SUSE Linux Enterprise Desktop 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Desktop 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpython3_4m1_0-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-base-3.4.5-19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:python3-curses-3.4.5-19.1 SUSE Linux Enterprise Software Development Kit 12 SP2:python3-devel-3.4.5-19.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1/ https://www.suse.com/security/cve/CVE-2016-5699.html CVE-2016-5699 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/985348 SUSE Bug 985348 https://bugzilla.suse.com/985351 SUSE Bug 985351 https://bugzilla.suse.com/986630 SUSE Bug 986630