SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:3048-1
Container Tags        : bci/python:3 , bci/python:3.10 , bci/python:3.10-7.31 , bci/python:latest
Container Release     : 7.31
Severity              : important
Type                  : security
References            : 1177460 1199944 1202324 1204179 1204649 1204886 1204968 1205156
                        1205244 CVE-2022-1664 CVE-2022-3821 CVE-2022-42919 CVE-2022-45061
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3999-1
Released:    Tue Nov 15 17:08:04 2022
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1204179,1204968,CVE-2022-3821
This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428
  * 0469b9f2bc pstore: do not try to load all known pstore modules
  * ad05f54439 pstore: Run after modules are loaded
  * ccad817445 core: Add trigger limit for path units
  * 281d818fe3 core/mount: also add default before dependency for automount mount units
  * ffe5b4afa8 logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179)
- Make 'sle15-sp3' net naming scheme still available for backward compatibility
  reason

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4004-1
Released:    Tue Nov 15 17:10:13 2022
Summary:     Security update for python310
Type:        security
Severity:    important
References:  1204886,1205244,CVE-2022-42919,CVE-2022-45061
This update for python310 fixes the following issues:

Security fixes:

- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).

Other fixes:

- allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).

- Update to 3.10.8:
  - Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - The deprecated mailcap module now refuses to inject unsafe
    text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
  - os.sched_yield() now release the GIL while calling
    sched_yield(2).
  - Bugfix: PyFunction_GetAnnotations() should return a borrowed
    reference. It was returning a new reference.
  - Fixed a missing incref/decref pair in
    Exception.__setstate__().
  - Fix overly-broad source position information for chained
    comparisons used as branching conditions.
  - Fix undefined behaviour in _testcapimodule.c.
  - At Python exit, sometimes a thread holding the GIL can
    wait forever for a thread (usually a daemon thread) which
    requested to drop the GIL, whereas the thread already
    exited. To fix the race condition, the thread which requested
    the GIL drop now resets its request before exiting.
  - Fix a possible assertion failure, fatal error, or SystemError
    if a line tracing event raises an exception while opcode
    tracing is enabled.
  - Fix undefined behaviour in C code of null pointer arithmetic.
  - Do not expose KeyWrapper in _functools.
  - When loading a file with invalid UTF-8 inside a multi-line
    string, a correct SyntaxError is emitted.
  - Disable incorrect pickling of the C implemented classmethod
    descriptors.
  - Fix AttributeError missing name and obj attributes in       .
    object.__getattribute__() bpo-42316: Document some places   .
    where an assignment expression needs parentheses            .
  - Wrap network errors consistently in urllib FTP support, so
    the test suite doesn’t fail when a network is available but
    the public internet is not reachable.
  - Fixes AttributeError when subprocess.check_output() is used
    with argument input=None and either of the arguments encoding
    or errors are used.
  - Avoid spurious tracebacks from asyncio when default executor
    cleanup is delayed until after the event loop is closed (e.g.
    as the result of a keyboard interrupt).
  - Avoid a crash in the C version of
    asyncio.Future.remove_done_callback() when an evil argument
    is passed.
  - Remove tokenize.NL check from tabnanny.
  - Make Semaphore run faster.
  - Fix generation of the default name of
    tkinter.Checkbutton. Previously, checkbuttons in different
    parent widgets could have the same short name and share
    the same state if arguments “name” and “variable” are not
    specified. Now they are globally unique.
  - Update bundled libexpat to 2.4.9
  - Fix race condition in asyncio where process_exited() called
    before the pipe_data_received() leading to inconsistent
    output.
  - Fixed check in multiprocessing.resource_tracker that
    guarantees that the length of a write to a pipe is not
    greater than PIPE_BUF.
  - Corrected type annotation for dataclass attribute
    pstats.FunctionProfile.ncalls to be str.
  - Fix the faulthandler implementation of
    faulthandler.register(signal, chain=True) if the sigaction()
    function is not available: don’t call the previous signal
    handler if it’s NULL.
  - In inspect, fix overeager replacement of “typing.” in
    formatting annotations.
  - Fix asyncio.streams.StreamReaderProtocol to keep a strong
    reference to the created task, so that it’s not garbage
    collected
  - Fix handling compiler warnings (SyntaxWarning and
    DeprecationWarning) in codeop.compile_command() when checking
    for incomplete input. Previously it emitted warnings and
    raised a SyntaxError. Now it always returns None for
    incomplete input without emitting any warnings.
  - Fixed flickering of the turtle window when the tracer is
    turned off.
  - Allow asyncio.StreamWriter.drain() to be awaited concurrently
    by multiple tasks.
  - Fix broken asyncio.Semaphore when acquire is cancelled.
  - Fix ast.unparse() when ImportFrom.level is None
  - Improve performance of urllib.request.getproxies_environment
    when there are many environment variables
  - Fix ! in c domain ref target syntax via a conf.py patch, so
    it works as intended to disable ref target resolution.
  - Clarified the conflicting advice given in the ast
    documentation about ast.literal_eval() being “safe” for use
    on untrusted input while at the same time warning that it
    can crash the process. The latter statement is true and is
    deemed unfixable without a large amount of work unsuitable
    for a bugfix. So we keep the warning and no longer claim that
    literal_eval is safe.
  - Update tutorial introduction output to use 3.10+ SyntaxError
    invalid range.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4066-1
Released:    Fri Nov 18 10:43:00 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1202324,1204649,1205156
This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released:    Fri Nov 18 15:40:46 2022
Summary:     Security update for dpkg
Type:        security
Severity:    low
References:  1199944,CVE-2022-1664
This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).


The following package changes have been done:

- libudev1-249.12-150400.8.13.1 updated
- libsystemd0-249.12-150400.8.13.1 updated
- timezone-2022f-150000.75.15.1 updated
- update-alternatives-1.19.0.4-150000.4.4.1 updated
- libpython3_10-1_0-3.10.8-150400.4.15.1 updated
- python310-base-3.10.8-150400.4.15.1 updated
- python310-3.10.8-150400.4.15.1 updated
- container:sles15-image-15.0.0-27.14.16 updated

SUSE: 2022:3048-1 bci/python Security Update

November 19, 2022
The container bci/python was updated

Summary

Advisory ID: SUSE-SU-2022:3999-1 Released: Tue Nov 15 17:08:04 2022 Summary: Security update for systemd Type: security Severity: moderate Advisory ID: SUSE-SU-2022:4004-1 Released: Tue Nov 15 17:10:13 2022 Summary: Security update for python310 Type: security Severity: important Advisory ID: SUSE-RU-2022:4066-1 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Type: recommended Severity: important Advisory ID: SUSE-SU-2022:4081-1 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Type: security Severity: low

References

References : 1177460 1199944 1202324 1204179 1204649 1204886 1204968 1205156

1205244 CVE-2022-1664 CVE-2022-3821 CVE-2022-42919 CVE-2022-45061

1204179,1204968,CVE-2022-3821

This update for systemd fixes the following issues:

- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428

* 0469b9f2bc pstore: do not try to load all known pstore modules

* ad05f54439 pstore: Run after modules are loaded

* ccad817445 core: Add trigger limit for path units

* 281d818fe3 core/mount: also add default before dependency for automount mount units

* ffe5b4afa8 logind: fix crash in logind on user-specified message string

- Document udev naming scheme (bsc#1204179)

- Make 'sle15-sp3' net naming scheme still available for backward compatibility

reason

1204886,1205244,CVE-2022-42919,CVE-2022-45061

This update for python310 fixes the following issues:

Security fixes:

- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).

- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).

Other fixes:

- allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).

- Update to 3.10.8:

- Fix multiplying a list by an integer (list *= int): detect

the integer overflow when the new allocated length is close

to the maximum size.

- Fix a shell code injection vulnerability in the

get-remote-certificate.py example script. The script no

longer uses a shell to run openssl commands. (originally

filed as CVE-2022-37460, later withdrawn)

- Fix command line parsing: reject -X int_max_str_digits option

with no value (invalid) when the PYTHONINTMAXSTRDIGITS

environment variable is set to a valid limit.

- When ValueError is raised if an integer is larger than the

limit, mention the sys.set_int_max_str_digits() function in

the error message.

- The deprecated mailcap module now refuses to inject unsafe

text (filenames, MIME types, parameters) into shell

commands. Instead of using such text, it will warn and act

as if a match was not found (or for test commands, as if the

test failed).

- os.sched_yield() now release the GIL while calling

sched_yield(2).

- Bugfix: PyFunction_GetAnnotations() should return a borrowed

reference. It was returning a new reference.

- Fixed a missing incref/decref pair in

Exception.__setstate__().

- Fix overly-broad source position information for chained

comparisons used as branching conditions.

- Fix undefined behaviour in _testcapimodule.c.

- At Python exit, sometimes a thread holding the GIL can

wait forever for a thread (usually a daemon thread) which

requested to drop the GIL, whereas the thread already

exited. To fix the race condition, the thread which requested

the GIL drop now resets its request before exiting.

- Fix a possible assertion failure, fatal error, or SystemError

if a line tracing event raises an exception while opcode

tracing is enabled.

- Fix undefined behaviour in C code of null pointer arithmetic.

- Do not expose KeyWrapper in _functools.

- When loading a file with invalid UTF-8 inside a multi-line

string, a correct SyntaxError is emitted.

- Disable incorrect pickling of the C implemented classmethod

descriptors.

- Fix AttributeError missing name and obj attributes in .

object.__getattribute__() bpo-42316: Document some places .

where an assignment expression needs parentheses .

- Wrap network errors consistently in urllib FTP support, so

the test suite doesn’t fail when a network is available but

the public internet is not reachable.

- Fixes AttributeError when subprocess.check_output() is used

with argument input=None and either of the arguments encoding

or errors are used.

- Avoid spurious tracebacks from asyncio when default executor

cleanup is delayed until after the event loop is closed (e.g.

as the result of a keyboard interrupt).

- Avoid a crash in the C version of

asyncio.Future.remove_done_callback() when an evil argument

is passed.

- Remove tokenize.NL check from tabnanny.

- Make Semaphore run faster.

- Fix generation of the default name of

tkinter.Checkbutton. Previously, checkbuttons in different

parent widgets could have the same short name and share

the same state if arguments “name” and “variable” are not

specified. Now they are globally unique.

- Update bundled libexpat to 2.4.9

- Fix race condition in asyncio where process_exited() called

before the pipe_data_received() leading to inconsistent

output.

- Fixed check in multiprocessing.resource_tracker that

guarantees that the length of a write to a pipe is not

greater than PIPE_BUF.

- Corrected type annotation for dataclass attribute

pstats.FunctionProfile.ncalls to be str.

- Fix the faulthandler implementation of

faulthandler.register(signal, chain=True) if the sigaction()

function is not available: don’t call the previous signal

handler if it’s NULL.

- In inspect, fix overeager replacement of “typing.” in

formatting annotations.

- Fix asyncio.streams.StreamReaderProtocol to keep a strong

reference to the created task, so that it’s not garbage

collected

- Fix handling compiler warnings (SyntaxWarning and

DeprecationWarning) in codeop.compile_command() when checking

for incomplete input. Previously it emitted warnings and

raised a SyntaxError. Now it always returns None for

incomplete input without emitting any warnings.

- Fixed flickering of the turtle window when the tracer is

turned off.

- Allow asyncio.StreamWriter.drain() to be awaited concurrently

by multiple tasks.

- Fix broken asyncio.Semaphore when acquire is cancelled.

- Fix ast.unparse() when ImportFrom.level is None

- Improve performance of urllib.request.getproxies_environment

when there are many environment variables

- Fix ! in c domain ref target syntax via a conf.py patch, so

it works as intended to disable ref target resolution.

- Clarified the conflicting advice given in the ast

documentation about ast.literal_eval() being “safe” for use

on untrusted input while at the same time warning that it

can crash the process. The latter statement is true and is

deemed unfixable without a large amount of work unsuitable

for a bugfix. So we keep the warning and no longer claim that

literal_eval is safe.

- Update tutorial introduction output to use 3.10+ SyntaxError

invalid range.

1177460,1202324,1204649,1205156

This update for timezone fixes the following issues:

Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

- Mexico will no longer observe DST except near the US border

- Chihuahua moves to year-round -06 on 2022-10-30

- Fiji no longer observes DST

- In vanguard form, GMT is now a Zone and Etc/GMT a link

- zic now supports links to links, and vanguard form uses this

- Simplify four Ontario zones

- Fix a Y2438 bug when reading TZif data

- Enable 64-bit time_t on 32-bit glibc platforms

- Omit large-file support when no longer needed

- Jordan and Syria switch from +02/+03 with DST to year-round +03

- Palestine transitions are now Saturdays at 02:00

- Simplify three Ukraine zones into one

- Improve tzselect on intercontinental Zones

- Chile's DST is delayed by a week in September 2022 (bsc#1202324)

- Iran no longer observes DST after 2022

- Rename Europe/Kiev to Europe/Kyiv

- New `zic -R` command option

- Vanguard form now uses %z

1199944,CVE-2022-1664

This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

The following package changes have been done:

- libudev1-249.12-150400.8.13.1 updated

- libsystemd0-249.12-150400.8.13.1 updated

- timezone-2022f-150000.75.15.1 updated

- update-alternatives-1.19.0.4-150000.4.4.1 updated

- libpython3_10-1_0-3.10.8-150400.4.15.1 updated

- python310-base-3.10.8-150400.4.15.1 updated

- python310-3.10.8-150400.4.15.1 updated

- container:sles15-image-15.0.0-27.14.16 updated

Severity
Container Advisory ID : SUSE-CU-2022:3048-1
Container Tags : bci/python:3 , bci/python:3.10 , bci/python:3.10-7.31 , bci/python:latest
Container Release : 7.31
Severity : important
Type : security

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved