Security update for python-numpy SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:13951-1 Final 1 1 2019-02-12T11:55:10Z current 2019-02-12T11:55:10Z 2019-02-12T11:55:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-numpy This update for python-numpy fixes the following issues: Security issue fixed: - CVE-2019-6446: Set allow_pickle to false by default to restrict loading untrusted content (bsc#1122208). With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by misusing numpy.load(). A warning during runtime will show-up when the allow_pickle is not explicitly set. NOTE: By applying this update the behavior of python-numpy changes, which might break your application. In order to get the old behaviour back, you have to explicitly set `allow_pickle` to True. Be aware that this should only be done for trusted input, as loading untrusted input might lead to arbitrary code execution. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-python-numpy-13951,slessp4-python-numpy-13951 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-201913951-1/ Link for SUSE-SU-2019:13951-1 https://lists.suse.com/pipermail/sle-security-updates/2019-February/005104.html E-Mail link for SUSE-SU-2019:13951-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1122208 SUSE Bug 1122208 https://www.suse.com/security/cve/CVE-2019-6446/ SUSE CVE CVE-2019-6446 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 python-numpy-devel-1.8.0-6.4.1 python-numpy-1.8.0-6.4.1 python-numpy-1.8.0-6.4.1 as a component of SUSE Linux Enterprise Server 11 SP4 python-numpy-1.8.0-6.4.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 python-numpy-devel-1.8.0-6.4.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources. CVE-2019-6446 SUSE Linux Enterprise Server 11 SP4:python-numpy-1.8.0-6.4.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:python-numpy-1.8.0-6.4.1 SUSE Linux Enterprise Software Development Kit 11 SP4:python-numpy-devel-1.8.0-6.4.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201913951-1/ https://www.suse.com/security/cve/CVE-2019-6446.html CVE-2019-6446 https://bugzilla.suse.com/1122208 SUSE Bug 1122208