SUSE Security Update: Security update for python310
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:4004-1
Rating:             important
References:         #1204886 #1205244 
Cross-References:   CVE-2022-42919 CVE-2022-45061
CVSS scores:
                    CVE-2022-42919 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-42919 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-45061 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-45061 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Python3 15-SP4
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for python310 fixes the following issues:

   Security fixes:

   - CVE-2022-42919: Fixed local privilege escalation via the multiprocessing
     forkserver start method (bsc#1204886).
   - CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).

   Other fixes:

   - allow building of documentation with the latest Sphinx 5.3.0
     (gh#python/cpython#98366).

   - Update to 3.10.8:
     - Fix multiplying a list by an integer (list *= int): detect the integer
       overflow when the new allocated length is close to the maximum size.
     - Fix a shell code injection vulnerability in the
       get-remote-certificate.py example script. The script no longer uses a
       shell to run openssl commands. (originally filed as CVE-2022-37460,
       later withdrawn)
     - Fix command line parsing: reject -X int_max_str_digits option with no
       value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is
       set to a valid limit.
     - When ValueError is raised if an integer is larger than the limit,
       mention the sys.set_int_max_str_digits() function in the error message.
     - The deprecated mailcap module now refuses to inject unsafe text
       (filenames, MIME types, parameters) into shell commands. Instead of
       using such text, it will warn and act as if a match was not found (or
       for test commands, as if the test failed).
     - os.sched_yield() now release the GIL while calling sched_yield(2).
     - Bugfix: PyFunction_GetAnnotations() should return a borrowed
       reference. It was returning a new reference.
     - Fixed a missing incref/decref pair in Exception.__setstate__().
     - Fix overly-broad source position information for chained comparisons
       used as branching conditions.
     - Fix undefined behaviour in _testcapimodule.c.
     - At Python exit, sometimes a thread holding the GIL can wait forever
       for a thread (usually a daemon thread) which requested to drop the
       GIL, whereas the thread already exited. To fix the race condition, the
       thread which requested the GIL drop now resets its request before
       exiting.
     - Fix a possible assertion failure, fatal error, or SystemError if a
       line tracing event raises an exception while opcode tracing is enabled.
     - Fix undefined behaviour in C code of null pointer arithmetic.
     - Do not expose KeyWrapper in _functools.
     - When loading a file with invalid UTF-8 inside a multi-line string, a
       correct SyntaxError is emitted.
     - Disable incorrect pickling of the C implemented classmethod
       descriptors.
     - Fix AttributeError missing name and obj attributes in       .
       object.__getattribute__() bpo-42316: Document some places   . where an
        assignment expression needs parentheses            .
     - Wrap network errors consistently in urllib FTP support, so the test
       suite doesn’t fail when a network is available but the public
       internet is not reachable.
     - Fixes AttributeError when subprocess.check_output() is used with
       argument input=None and either of the arguments encoding
       or errors are used.
     - Avoid spurious tracebacks from asyncio when default executor cleanup
       is delayed until after the event loop is closed (e.g. as the result of
       a keyboard interrupt).
     - Avoid a crash in the C version of
       asyncio.Future.remove_done_callback() when an evil argument is passed.
     - Remove tokenize.NL check from tabnanny.
     - Make Semaphore run faster.
     - Fix generation of the default name of tkinter.Checkbutton. Previously,
       checkbuttons in different parent widgets could have the same short
       name and share the same state if arguments “name” and
       “variable” are not specified. Now they are globally unique.
     - Update bundled libexpat to 2.4.9
     - Fix race condition in asyncio where process_exited() called before the
       pipe_data_received() leading to inconsistent
       output.
     - Fixed check in multiprocessing.resource_tracker that guarantees that
       the length of a write to a pipe is not greater than PIPE_BUF.
     - Corrected type annotation for dataclass attribute
       pstats.FunctionProfile.ncalls to be str.
     - Fix the faulthandler implementation of faulthandler.register(signal,
       chain=True) if the sigaction() function is not available: don’t call
       the previous signal handler if it’s NULL.
     - In inspect, fix overeager replacement of “typing.” in formatting
       annotations.
     - Fix asyncio.streams.StreamReaderProtocol to keep a strong reference to
       the created task, so that it’s not garbage collected
     - Fix handling compiler warnings (SyntaxWarning and DeprecationWarning)
       in codeop.compile_command() when checking for incomplete input.
       Previously it emitted warnings and raised a SyntaxError. Now it always
       returns None for incomplete input without emitting any warnings.
     - Fixed flickering of the turtle window when the tracer is turned off.
     - Allow asyncio.StreamWriter.drain() to be awaited concurrently by
       multiple tasks.
     - Fix broken asyncio.Semaphore when acquire is cancelled.
     - Fix ast.unparse() when ImportFrom.level is None
     - Improve performance of urllib.request.getproxies_environment when
       there are many environment variables
     - Fix ! in c domain ref target syntax via a conf.py patch, so it works
       as intended to disable ref target resolution.
     - Clarified the conflicting advice given in the ast documentation about
       ast.literal_eval() being “safe” for use
       on untrusted input while at the same time warning that it can crash
        the process. The latter statement is true and is deemed unfixable
        without a large amount of work unsuitable for a bugfix. So we keep
        the warning and no longer claim that literal_eval is safe.
     - Update tutorial introduction output to use 3.10+ SyntaxError invalid
       range.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-4004=1

   - SUSE Linux Enterprise Module for Python3 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Python3-15-SP4-2022-4004=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      libpython3_10-1_0-3.10.8-150400.4.15.1
      libpython3_10-1_0-debuginfo-3.10.8-150400.4.15.1
      python310-3.10.8-150400.4.15.1
      python310-base-3.10.8-150400.4.15.1
      python310-base-debuginfo-3.10.8-150400.4.15.1
      python310-core-debugsource-3.10.8-150400.4.15.1
      python310-curses-3.10.8-150400.4.15.1
      python310-curses-debuginfo-3.10.8-150400.4.15.1
      python310-dbm-3.10.8-150400.4.15.1
      python310-dbm-debuginfo-3.10.8-150400.4.15.1
      python310-debuginfo-3.10.8-150400.4.15.1
      python310-debugsource-3.10.8-150400.4.15.1
      python310-devel-3.10.8-150400.4.15.1
      python310-doc-3.10.8-150400.4.15.1
      python310-doc-devhelp-3.10.8-150400.4.15.1
      python310-idle-3.10.8-150400.4.15.1
      python310-testsuite-3.10.8-150400.4.15.1
      python310-testsuite-debuginfo-3.10.8-150400.4.15.1
      python310-tk-3.10.8-150400.4.15.1
      python310-tk-debuginfo-3.10.8-150400.4.15.1
      python310-tools-3.10.8-150400.4.15.1

   - openSUSE Leap 15.4 (x86_64):

      libpython3_10-1_0-32bit-3.10.8-150400.4.15.1
      libpython3_10-1_0-32bit-debuginfo-3.10.8-150400.4.15.1
      python310-32bit-3.10.8-150400.4.15.1
      python310-32bit-debuginfo-3.10.8-150400.4.15.1
      python310-base-32bit-3.10.8-150400.4.15.1
      python310-base-32bit-debuginfo-3.10.8-150400.4.15.1

   - SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):

      libpython3_10-1_0-3.10.8-150400.4.15.1
      libpython3_10-1_0-debuginfo-3.10.8-150400.4.15.1
      python310-3.10.8-150400.4.15.1
      python310-base-3.10.8-150400.4.15.1
      python310-base-debuginfo-3.10.8-150400.4.15.1
      python310-core-debugsource-3.10.8-150400.4.15.1
      python310-curses-3.10.8-150400.4.15.1
      python310-curses-debuginfo-3.10.8-150400.4.15.1
      python310-dbm-3.10.8-150400.4.15.1
      python310-dbm-debuginfo-3.10.8-150400.4.15.1
      python310-debuginfo-3.10.8-150400.4.15.1
      python310-debugsource-3.10.8-150400.4.15.1
      python310-devel-3.10.8-150400.4.15.1
      python310-idle-3.10.8-150400.4.15.1
      python310-tk-3.10.8-150400.4.15.1
      python310-tk-debuginfo-3.10.8-150400.4.15.1
      python310-tools-3.10.8-150400.4.15.1


References:

   https://www.suse.com/security/cve/CVE-2022-42919.html
   https://www.suse.com/security/cve/CVE-2022-45061.html
   https://bugzilla.suse.com/1204886
   https://bugzilla.suse.com/1205244

SUSE: 2022:4004-1 important: python310

November 15, 2022
An update that fixes two vulnerabilities is now available

Summary

This update for python310 fixes the following issues: Security fixes: - CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886). - CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244). Other fixes: - allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366). - Update to 3.10.8: - Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. - Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn) - Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. - When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. - The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). - os.sched_yield() now release the GIL while calling sched_yield(2). - Bugfix: PyFunction_GetAnnotations() should return a borrowed reference. It was returning a new reference. - Fixed a missing incref/decref pair in Exception.__setstate__(). - Fix overly-broad source position information for chained comparisons used as branching conditions. - Fix undefined behaviour in _testcapimodule.c. - At Python exit, sometimes a thread holding the GIL can wait forever for a thread (usually a daemon thread) which requested to drop the GIL, whereas the thread already exited. To fix the race condition, the thread which requested the GIL drop now resets its request before exiting. - Fix a possible assertion failure, fatal error, or SystemError if a line tracing event raises an exception while opcode tracing is enabled. - Fix undefined behaviour in C code of null pointer arithmetic. - Do not expose KeyWrapper in _functools. - When loading a file with invalid UTF-8 inside a multi-line string, a correct SyntaxError is emitted. - Disable incorrect pickling of the C implemented classmethod descriptors. - Fix AttributeError missing name and obj attributes in . object.__getattribute__() bpo-42316: Document some places . where an assignment expression needs parentheses . - Wrap network errors consistently in urllib FTP support, so the test suite doesn’t fail when a network is available but the public internet is not reachable. - Fixes AttributeError when subprocess.check_output() is used with argument input=None and either of the arguments encoding or errors are used. - Avoid spurious tracebacks from asyncio when default executor cleanup is delayed until after the event loop is closed (e.g. as the result of a keyboard interrupt). - Avoid a crash in the C version of asyncio.Future.remove_done_callback() when an evil argument is passed. - Remove tokenize.NL check from tabnanny. - Make Semaphore run faster. - Fix generation of the default name of tkinter.Checkbutton. Previously, checkbuttons in different parent widgets could have the same short name and share the same state if arguments “name” and “variable” are not specified. Now they are globally unique. - Update bundled libexpat to 2.4.9 - Fix race condition in asyncio where process_exited() called before the pipe_data_received() leading to inconsistent output. - Fixed check in multiprocessing.resource_tracker that guarantees that the length of a write to a pipe is not greater than PIPE_BUF. - Corrected type annotation for dataclass attribute pstats.FunctionProfile.ncalls to be str. - Fix the faulthandler implementation of faulthandler.register(signal, chain=True) if the sigaction() function is not available: don’t call the previous signal handler if it’s NULL. - In inspect, fix overeager replacement of “typing.” in formatting annotations. - Fix asyncio.streams.StreamReaderProtocol to keep a strong reference to the created task, so that it’s not garbage collected - Fix handling compiler warnings (SyntaxWarning and DeprecationWarning) in codeop.compile_command() when checking for incomplete input. Previously it emitted warnings and raised a SyntaxError. Now it always returns None for incomplete input without emitting any warnings. - Fixed flickering of the turtle window when the tracer is turned off. - Allow asyncio.StreamWriter.drain() to be awaited concurrently by multiple tasks. - Fix broken asyncio.Semaphore when acquire is cancelled. - Fix ast.unparse() when ImportFrom.level is None - Improve performance of urllib.request.getproxies_environment when there are many environment variables - Fix ! in c domain ref target syntax via a conf.py patch, so it works as intended to disable ref target resolution. - Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe. - Update tutorial introduction output to use 3.10+ SyntaxError invalid range. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-4004=1 - SUSE Linux Enterprise Module for Python3 15-SP4: zypper in -t patch SUSE-SLE-Module-Python3-15-SP4-2022-4004=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libpython3_10-1_0-3.10.8-150400.4.15.1 libpython3_10-1_0-debuginfo-3.10.8-150400.4.15.1 python310-3.10.8-150400.4.15.1 python310-base-3.10.8-150400.4.15.1 python310-base-debuginfo-3.10.8-150400.4.15.1 python310-core-debugsource-3.10.8-150400.4.15.1 python310-curses-3.10.8-150400.4.15.1 python310-curses-debuginfo-3.10.8-150400.4.15.1 python310-dbm-3.10.8-150400.4.15.1 python310-dbm-debuginfo-3.10.8-150400.4.15.1 python310-debuginfo-3.10.8-150400.4.15.1 python310-debugsource-3.10.8-150400.4.15.1 python310-devel-3.10.8-150400.4.15.1 python310-doc-3.10.8-150400.4.15.1 python310-doc-devhelp-3.10.8-150400.4.15.1 python310-idle-3.10.8-150400.4.15.1 python310-testsuite-3.10.8-150400.4.15.1 python310-testsuite-debuginfo-3.10.8-150400.4.15.1 python310-tk-3.10.8-150400.4.15.1 python310-tk-debuginfo-3.10.8-150400.4.15.1 python310-tools-3.10.8-150400.4.15.1 - openSUSE Leap 15.4 (x86_64): libpython3_10-1_0-32bit-3.10.8-150400.4.15.1 libpython3_10-1_0-32bit-debuginfo-3.10.8-150400.4.15.1 python310-32bit-3.10.8-150400.4.15.1 python310-32bit-debuginfo-3.10.8-150400.4.15.1 python310-base-32bit-3.10.8-150400.4.15.1 python310-base-32bit-debuginfo-3.10.8-150400.4.15.1 - SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64): libpython3_10-1_0-3.10.8-150400.4.15.1 libpython3_10-1_0-debuginfo-3.10.8-150400.4.15.1 python310-3.10.8-150400.4.15.1 python310-base-3.10.8-150400.4.15.1 python310-base-debuginfo-3.10.8-150400.4.15.1 python310-core-debugsource-3.10.8-150400.4.15.1 python310-curses-3.10.8-150400.4.15.1 python310-curses-debuginfo-3.10.8-150400.4.15.1 python310-dbm-3.10.8-150400.4.15.1 python310-dbm-debuginfo-3.10.8-150400.4.15.1 python310-debuginfo-3.10.8-150400.4.15.1 python310-debugsource-3.10.8-150400.4.15.1 python310-devel-3.10.8-150400.4.15.1 python310-idle-3.10.8-150400.4.15.1 python310-tk-3.10.8-150400.4.15.1 python310-tk-debuginfo-3.10.8-150400.4.15.1 python310-tools-3.10.8-150400.4.15.1

References

#1204886 #1205244

Cross- CVE-2022-42919 CVE-2022-45061

CVSS scores:

CVE-2022-42919 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-42919 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-45061 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-45061 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:

SUSE Linux Enterprise Desktop 15-SP4

SUSE Linux Enterprise High Performance Computing 15-SP4

SUSE Linux Enterprise Module for Python3 15-SP4

SUSE Linux Enterprise Server 15-SP4

SUSE Linux Enterprise Server for SAP Applications 15-SP4

SUSE Manager Proxy 4.3

SUSE Manager Retail Branch Server 4.3

SUSE Manager Server 4.3

openSUSE Leap 15.4

https://www.suse.com/security/cve/CVE-2022-42919.html

https://www.suse.com/security/cve/CVE-2022-45061.html

https://bugzilla.suse.com/1204886

https://bugzilla.suse.com/1205244

Severity
Announcement ID: SUSE-SU-2022:4004-1
Rating: important

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved