Security update for python3

SUSE Security Update: Security update for python3
Announcement ID: SUSE-SU-2016:2653-1
Rating: moderate
References: #951166 #983582 #984751 #985177 #985348 #989523 #991069
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP1
  • SUSE Linux Enterprise Server 12-SP1
  • SUSE Linux Enterprise Module for Web Scripting 12
  • SUSE Linux Enterprise Desktop 12-SP1

  • An update that solves four vulnerabilities and has three fixes is now available.

    Description:


    This update provides Python 3.4.5, which brings many fixes and
    enhancements.

    The following security issues have been fixed:

    - CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY
    environment variable based on user supplied Proxy request header.
    (bsc#989523)
    - CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM
    attacker to perform a startTLS stripping attack. (bsc#984751)
    - CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
    - CVE-2016-5699: A header injection flaw in
    urrlib2/urllib/httplib/http.client. (bsc#985348)

    The update also includes the following non-security fixes:

    - Don't force 3rd party C extensions to be built with
    -Werror=declaration-after-statement. (bsc#951166)
    - Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

    For a comprehensive list of changes please refer to the upstream change
    log: https://docs.python.org/3.4/whatsnew/changelog.html

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 12-SP1:
      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1558=1
    • SUSE Linux Enterprise Server 12-SP1:
      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1558=1
    • SUSE Linux Enterprise Module for Web Scripting 12:
      zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1558=1
    • SUSE Linux Enterprise Desktop 12-SP1:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1558=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):
      • python3-base-debuginfo-3.4.5-17.1
      • python3-base-debugsource-3.4.5-17.1
      • python3-devel-3.4.5-17.1
      • python3-devel-debuginfo-3.4.5-17.1
    • SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):
      • libpython3_4m1_0-3.4.5-17.1
      • libpython3_4m1_0-debuginfo-3.4.5-17.1
      • python3-3.4.5-17.1
      • python3-base-3.4.5-17.1
      • python3-base-debuginfo-3.4.5-17.1
      • python3-base-debugsource-3.4.5-17.1
      • python3-debuginfo-3.4.5-17.1
      • python3-debugsource-3.4.5-17.1
    • SUSE Linux Enterprise Module for Web Scripting 12 (ppc64le s390x x86_64):
      • libpython3_4m1_0-3.4.5-17.1
      • libpython3_4m1_0-debuginfo-3.4.5-17.1
      • python3-3.4.5-17.1
      • python3-base-3.4.5-17.1
      • python3-base-debuginfo-3.4.5-17.1
      • python3-base-debugsource-3.4.5-17.1
      • python3-debuginfo-3.4.5-17.1
      • python3-debugsource-3.4.5-17.1
    • SUSE Linux Enterprise Desktop 12-SP1 (x86_64):
      • libpython3_4m1_0-3.4.5-17.1
      • libpython3_4m1_0-debuginfo-3.4.5-17.1
      • python3-3.4.5-17.1
      • python3-base-3.4.5-17.1
      • python3-base-debuginfo-3.4.5-17.1
      • python3-base-debugsource-3.4.5-17.1
      • python3-debuginfo-3.4.5-17.1
      • python3-debugsource-3.4.5-17.1

    References: