SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1862

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1862

Security update for python

Type: security

Severity: moderate

Issued: 2024-05-30

Description:

This update for python fixes the following issues:

- CVE-2023-52425: Fixed using the system libexpat (bsc#1219559).
- CVE-2023-27043: Modifed fix for unicode string handling in email.utils.parseaddr() (bsc#1222537).
- CVE-2022-48560: Fixed use-after-free in Python via heappushpop in heapq (bsc#1214675).
- CVE-2024-0450: Detect the vulnerability of the "quoted-overlap" zipbomb (bsc#1221854).

Bug fixes:

- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306).
- Build with -std=gnu89 to build correctly with gcc14 (bsc#1220970).
- Switch from %patchN style to the %patch -P N one.

References

CVE: CVE-2024-0450
CVE: CVE-2023-52425
CVE: CVE-2023-27043
CVE: CVE-2022-48560
Bugzilla: 1222537 L3-Question: python2: After applying patch SUSE-SLE-SERVER-12-SP5-2024-437 '5.1.3 Bad recipient address syntax'.
Bugzilla: 1221854 VUL-0: CVE-2024-0450: python: The zipfile module is vulnerable to "quoted-overlap"
Bugzilla: 1220970 GCC 14: python package fails
Bugzilla: 1219559 VUL-0: CVE-2023-52425: expat: denial of service (resource consumption) caused by processing large tokens
Bugzilla: 1219306 [TRACKER] Remove python2 from openSUSE:Factory
Bugzilla: 1214675 VUL-0: CVE-2022-48560: python3: A use-after-free exists in Python through 3.9 via heappushpop in heapq

Packages

python-2.7.18-150000.65.1

python-base-2.7.18-150000.65.1