Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2020-2332.NASL
HistoryJan 25, 2021 - 12:00 a.m.

openSUSE Security Update : python3 (openSUSE-2020-2332)

2021-01-2500:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15

7.3 High

AI Score

Confidence

High

JSON

This update for python3 fixes the following issues :

  • Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP.

  • Change setuptools and pip version numbers according to new wheels

  • Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)

  • add triplets for mips-r6 and riscv

  • RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

  • Ensure python3.dll is loaded from correct locations when Python is embedded

  • The hash() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

  • Prevent http header injection by rejecting control characters in http.client.putrequest(…).

  • Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.

  • Avoid infinite loop when reading specially crafted TAR files using the tarfile module

  • This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

Update to 3.6.11 :

  • Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks.

  • Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094)

  • CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

This update was imported from the SUSE:SLE-15:Update update project.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-2332.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('compat.inc');

if (description)
{
  script_id(145326);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/26");

  script_cve_id(
    "CVE-2019-16935",
    "CVE-2019-18348",
    "CVE-2019-20907",
    "CVE-2019-5010",
    "CVE-2020-14422",
    "CVE-2020-26116",
    "CVE-2020-27619",
    "CVE-2020-8492"
  );

  script_name(english:"openSUSE Security Update : python3 (openSUSE-2020-2332)");

  script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"This update for python3 fixes the following issues :

  - Fixed CVE-2020-27619 (bsc#1178009), where
    Lib/test/multibytecodec_support calls eval() on content
    retrieved via HTTP.

  - Change setuptools and pip version numbers according to
    new wheels

  - Handful of changes to make python36 compatible with
    SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)

  - add triplets for mips-r6 and riscv

  - RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

  - Ensure python3.dll is loaded from correct locations when
    Python is embedded

  - The __hash__() methods of ipaddress.IPv4Interface and
    ipaddress.IPv6Interface incorrectly generated constant
    hash values of 32 and 128 respectively. This resulted in
    always causing hash collisions. The fix uses hash() to
    generate hash values for the tuple of (address, mask
    length, network address).

  - Prevent http header injection by rejecting control
    characters in http.client.putrequest(…).

  - Unpickling invalid NEWOBJ_EX opcode with the C
    implementation raises now UnpicklingError instead of
    crashing.

  - Avoid infinite loop when reading specially crafted TAR
    files using the tarfile module

  - This release also fixes CVE-2020-26116 (bsc#1177211) and
    CVE-2019-20907 (bsc#1174091).

Update to 3.6.11 :

  - Disallow CR or LF in email.headerregistry. Address
    arguments to guard against header injection attacks.

  - Disallow control characters in hostnames in http.client,
    addressing CVE-2019-18348. Such potentially malicious
    header injection URLs now cause a InvalidURL to be
    raised. (bsc#1155094)

  - CVE-2020-8492: The AbstractBasicAuthHandler class of the
    urllib.request module uses an inefficient regular
    expression which can be exploited by an attacker to
    cause a denial of service. Fix the regex to prevent the
    catastrophic backtracking. Vulnerability reported by Ben
    Caller and Matt Schwager.

This update was imported from the SUSE:SLE-15:Update update project.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1155094");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174091");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174571");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174701");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1177211");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1178009");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1179193");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1179630");
  script_set_attribute(attribute:"solution", value:
"Update the affected python3 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27619");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/12/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython3_6m1_0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpython3_6m1_0-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-32bit-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-base-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-base-32bit-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-base-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-core-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-curses");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-curses-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-dbm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-dbm-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-devel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-doc-devhelp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-idle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-testsuite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-testsuite-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-tk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-tk-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE15.2", reference:"libpython3_6m1_0-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"libpython3_6m1_0-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-base-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-base-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-core-debugsource-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-curses-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-curses-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-dbm-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-dbm-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-debugsource-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-devel-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-devel-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-doc-devhelp-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-idle-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-testsuite-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-testsuite-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-tk-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-tk-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"python3-tools-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"libpython3_6m1_0-32bit-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"libpython3_6m1_0-32bit-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"python3-32bit-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"python3-32bit-debuginfo-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"python3-base-32bit-3.6.12-lp152.4.14.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", cpu:"x86_64", reference:"python3-base-32bit-debuginfo-3.6.12-lp152.4.14.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3 / python3-curses / python3-curses-debuginfo / python3-dbm / etc");
}
VendorProductVersionCPE
novellopensusepython3-dbmp-cpe:/a:novell:opensuse:python3-dbm
novellopensusepython3-dbm-debuginfop-cpe:/a:novell:opensuse:python3-dbm-debuginfo
novellopensusepython3-debuginfop-cpe:/a:novell:opensuse:python3-debuginfo
novellopensusepython3-debugsourcep-cpe:/a:novell:opensuse:python3-debugsource
novellopensusepython3-develp-cpe:/a:novell:opensuse:python3-devel
novellopensusepython3-devel-debuginfop-cpe:/a:novell:opensuse:python3-devel-debuginfo
novellopensusepython3-doc-devhelpp-cpe:/a:novell:opensuse:python3-doc-devhelp
novellopensusepython3-idlep-cpe:/a:novell:opensuse:python3-idle
novellopensusepython3-testsuitep-cpe:/a:novell:opensuse:python3-testsuite
novellopensusepython3-testsuite-debuginfop-cpe:/a:novell:opensuse:python3-testsuite-debuginfo
Rows per page:
1-10 of 281

Related

nessus 101
suse 5
redhat 8
oraclelinux 5
almalinux 3
freebsd 3
ibm 9
archlinux 1
mageia 3
cloudlinux 2
fedora 14
centos 2
amazon 7
ubuntu 4
openvas 6
cloudfoundry 2
osv 9
gentoo 2
debian 2
rocky 1
rosalinux 1
prion 1
cbl_mariner 1
ubuntucve 2
debiancve 2
veracode 2
photon 1
nessus
nessus
SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)
2020-12-24 00:00:00
openSUSE Security Update : python3 (openSUSE-2020-2333)
2021-01-25 00:00:00
RHEL 6 / 7 : rh-python36 (RHSA-2020:4285)
2023-01-23 00:00:00
suse
suse
Security update for python3 (important)
2020-12-26 00:00:00
Security update for python3 (important)
2020-12-26 00:00:00
Security update for python3 (moderate)
2020-08-27 00:00:00
redhat
redhat
(RHSA-2020:4285) Moderate: rh-python36 security, bug fix, and enhancement update
2020-10-19 17:43:31
(RHSA-2020:4433) Moderate: python3 security and bug fix update
2020-11-03 12:04:08
(RHSA-2020:4273) Moderate: python27 security, bug fix, and enhancement update
2020-10-20 15:44:20
oraclelinux
oraclelinux
python3 security and bug fix update
2020-11-10 00:00:00
python3 security update
2020-11-13 00:00:00
python3 security update
2020-10-06 00:00:00
almalinux
almalinux
Moderate: python3 security and bug fix update
2020-11-03 12:04:08
Moderate: python38:3.8 security, bug fix, and enhancement update
2020-11-03 12:23:02
Moderate: python3 security update
2021-05-18 05:42:46
freebsd
freebsd
Python -- multiple vulnerabilities
2020-08-19 00:00:00
Python -- multiple vulnerabilities
2019-10-24 00:00:00
Python -- CRLF injection via the host part of the url passed to urlopen()
2019-10-24 00:00:00
ibm
ibm
Security Bulletin: Security vulnerabilities in Python3 affect IBM Cloud Pak for Multicloud Management Hybrid GRC.
2021-02-04 21:29:35
Security Bulletin: Streams service for IBM Cloud Pak for Data might be affected by some underlying Python vulnerabilities
2021-06-16 19:01:03
Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
2022-10-18 14:58:51
archlinux
archlinux
[ASA-202103-27] python2: multiple issues
2021-03-25 00:00:00
mageia
mageia
Updated python and python3 packages fix security vulnerabilities
2020-12-08 13:40:32
Updated python3 packages fix security vulnerability
2020-12-29 14:57:17
Updated python packages fix security vulnerability
2021-07-10 15:56:54
cloudlinux
cloudlinux
Fix of CVE: CVE-2020-26116, CVE-2020-8492, CVE-2018-20852, CVE-2020-27619
2021-10-05 14:07:59
Fix of CVE: CVE-2018-20852, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619
2021-09-23 12:55:16
fedora
fedora
[SECURITY] Fedora 31 Update: python38-3.8.5-1.fc31
2020-07-30 19:09:05
[SECURITY] Fedora 32 Update: python3-3.8.5-1.fc32
2020-07-30 18:57:25
[SECURITY] Fedora 32 Update: python36-3.6.11-1.fc32
2020-07-04 01:14:28
centos
centos
python3 security update
2020-11-18 17:23:37
python3 security update
2020-10-20 18:48:39
amazon
amazon
Medium: python3
2021-06-16 20:37:00
Medium: python27, python34, python35, python36
2020-07-27 23:54:00
Medium: python34, python35, python36
2020-09-03 22:08:00
ubuntu
ubuntu
Python vulnerabilities
2020-04-30 00:00:00
Python vulnerabilities
2020-04-21 00:00:00
Python vulnerabilities
2021-03-12 00:00:00
openvas
openvas
Ubuntu: Security Advisory for python3.8 (USN-4333-2)
2020-05-01 00:00:00
Ubuntu: Security Advisory for python3.7 (USN-4333-1)
2020-04-22 00:00:00
Fedora: Security Advisory for python36 (FEDORA-2020-8bdd3fd7a4)
2020-07-04 00:00:00
cloudfoundry
cloudfoundry
USN-4333-1: Python vulnerabilities | Cloud Foundry
2020-05-14 00:00:00
USN-4428-1: Python vulnerabilities | Cloud Foundry
2020-08-27 00:00:00
osv
osv
python2.7, python3.7, python3.8 vulnerabilities
2021-03-12 14:07:56
python3.5 - security update
2020-11-18 00:00:00
Moderate: python38:3.8 security, bug fix, and enhancement update
2020-11-03 12:23:02
gentoo
gentoo
Python: Multiple vulnerabilities
2020-08-02 00:00:00
GNAT Ada Suite: Remote Code Execution
2024-02-03 00:00:00
debian
debian
[SECURITY] [DLA 2456-1] python3.5 security update
2020-11-19 03:44:14
[SECURITY] [DLA 2280-1] python3.5 security update
2020-07-15 10:00:36
rocky
rocky
python38:3.8 security, bug fix, and enhancement update
2020-11-03 12:23:02
rosalinux
rosalinux
Advisory ROSA-SA-2023-2202
2023-07-25 10:31:09
prion
prion
Design/Logic Flaw
2020-10-22 03:16:00
cbl_mariner
cbl_mariner
CVE-2019-18348 affecting package python3 3.7.9-2
2021-07-08 21:56:42
ubuntucve
ubuntucve
CVE-2020-27619
2020-10-22 00:00:00
CVE-2020-14422
2020-06-18 00:00:00
debiancve
debiancve
CVE-2020-27619
2020-10-22 03:16:00
CVE-2020-14422
2020-06-18 14:15:00
veracode
veracode
Information Disclosure
2021-02-26 02:10:49
Denial Of Service (DoS)
2020-08-06 21:39:59
photon
photon
Moderate Photon OS Security Update - PHSA-2020-0111
2020-07-09 00:00:00

7.3 High

AI Score

Confidence

High

JSON
Related for OPENSUSE-2020-2332.NASL
nessus101suse5redhat8oraclelinux5almalinux3freebsd3ibm9archlinux1mageia3cloudlinux2fedora14centos2amazon7ubuntu4openvas6cloudfoundry2osv9gentoo2debian2rocky1rosalinux1prion1cbl_mariner1ubuntucve2debiancve2veracode2photon1