Security update for Python

SUSE Security Update: Security update for Python

Announcement ID:	SUSE-SU-2014:0997-1
Rating:	moderate
References:	#827982 #834601 #847135 #856836 #859068 #863741 #872848 #885882
Affected Products:	SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS

An update that solves four vulnerabilities and has four fixes is now available. It includes one version update.

Description:

Python has been updated to version 2.6.9, which brings many fixes for bugs
and security issues:

* SSL Root Certificate validation is now enabled by default.
(bnc#827982)
* Fixed a overflow in socket.recvfrom_into where incorrect python
programs could have been exploited remotely via a buffer overrun.
(CVE-2014-1912)
* Multiple unbound readline() DoS flaws in python stdlib have been
fixed. (CVE-2013-1752)
* Handling of embedded 0 in SSL certificate fields has been fixed.
(CVE-2013-4238)
* CGIHTTPServer file disclosure and directory traversal through
URL-encoded characters has been fixed. (CVE-2014-4650)

Additionally, the following non-security issues have been fixed:

* Turn off OpenSSL's aggressive optimizations that conflict with
Python's GC. (bnc#859068)
* Fix usage of MD5 in hmac module when the cipher is not available in
FIPS mode. (bnc#847135)
* Update 'urlparse' module to correctly parse IPv6 addresses.
(bnc#872848)
* Correctly enable IPv6 support.

Security Issues:

* CVE-2013-4238

* CVE-2014-1912

* CVE-2013-1752

* CVE-2014-4650

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Server 11 SP2 LTSS:
zypper in -t patch slessp2-python-201408-9580
SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-python-201408-9578

To bring your system up-to-date, use "zypper patch".

Package List:

SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 2.6.9]:
- libpython2_6-1_0-2.6.9-0.31.1
- python-2.6.9-0.31.1
- python-base-2.6.9-0.31.1
- python-curses-2.6.9-0.31.1
- python-demo-2.6.9-0.31.1
- python-devel-2.6.9-0.31.1
- python-gdbm-2.6.9-0.31.1
- python-idle-2.6.9-0.31.1
- python-tk-2.6.9-0.31.1
- python-xml-2.6.9-0.31.1
SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 2.6.9]:
- libpython2_6-1_0-32bit-2.6.9-0.31.1
- python-32bit-2.6.9-0.31.1
- python-base-32bit-2.6.9-0.31.1
SUSE Linux Enterprise Server 11 SP2 LTSS (noarch):
- python-doc-2.6-8.31.1
- python-doc-pdf-2.6-8.31.1
SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.6.9]:
- libpython2_6-1_0-2.6.9-0.31.1
- python-2.6.9-0.31.1
- python-base-2.6.9-0.31.1
- python-curses-2.6.9-0.31.1
- python-demo-2.6.9-0.31.1
- python-devel-2.6.9-0.31.1
- python-gdbm-2.6.9-0.31.1
- python-idle-2.6.9-0.31.1
- python-tk-2.6.9-0.31.1
- python-xml-2.6.9-0.31.1
SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 2.6.9]:
- libpython2_6-1_0-32bit-2.6.9-0.31.1
- python-32bit-2.6.9-0.31.1
- python-base-32bit-2.6.9-0.31.1
SUSE Linux Enterprise Server 11 SP1 LTSS (noarch):
- python-doc-2.6-8.31.1
- python-doc-pdf-2.6-8.31.1

References:

http://support.novell.com/security/cve/CVE-2013-1752.html
http://support.novell.com/security/cve/CVE-2013-4238.html
http://support.novell.com/security/cve/CVE-2014-1912.html
http://support.novell.com/security/cve/CVE-2014-4650.html
https://bugzilla.novell.com/827982
https://bugzilla.novell.com/834601
https://bugzilla.novell.com/847135
https://bugzilla.novell.com/856836
https://bugzilla.novell.com/859068
https://bugzilla.novell.com/863741
https://bugzilla.novell.com/872848
https://bugzilla.novell.com/885882
http://download.suse.com/patch/finder/?keywords=3734a6c4dfebe291c8b56ac4755caac3
http://download.suse.com/patch/finder/?keywords=faa004881aeeffec0fab415382594ba8