SUSE-SU-2023:2783-2 Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets

This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack,...

Malicious code in aliababcloud-tea-openapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 644686188e6f43d2dc595074d7644cba060e6a91b8de18713f4b551a76a6c3b7 Malicious Typosquatting packages campaign targeting developers, steals cloud service credentials Source: google-open-source-security...

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three additional rogue Python packages have been discovered in the Package Index PyPI repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from...

agent-actors (=0.1.0), agentverse (>=0.1.5 <=0.1.8.1) +78 more potentially affected by CVE-2023-36281 via langchain (>=0.0.100 <=0.0.168)

langchain PYPI version =0.0.100, =0.1.5, =0.0.1, =0.0.5, =0.2.0, =0.1.1, =0.1.1, =0.0.0, =0.0.1, =0.1.0, =0.2.1, =0.1.0, =0.0.1, =0.0.3, =0.0.7 and more Source cves: CVE-2023-36281 Source advisory: OSV:PYSEC-2023-151...

Malicious code in python-aliyun-sdk-core (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 63f6387d6bfe7ae582be4478cf6a42a8104b44ea50b22489f5217ba2bfb3ce39 Malicious Typosquatting packages campaign targeting developers, steals cloud service credentials Source: google-open-source-security...

2vyper (=0.3.0), ape-dasy (=0.1.0) +49 more potentially affected by CVE-2023-39363 via vyper (>=0.1.0b12 <=0.4.3)

vyper PYPI version =0.1.0b12, =0.6.0, =0.5.0a1, =0.7.1, =0.1.0, =0.0.1, =0.0.0, =0.0.0, =0.0.5, =0.1.0, =0.1.0, =0.1.0, =0.6.4 - blackadder =0.1.1 and more Source cves: CVE-2023-39363 Source advisory: OSV:PYSEC-2023-142...

170051277-trab-final-gces (>=0.3.0 <=0.5.0), 2022-2-gces-ifpf (=0.3.0) +2742 more potentially affected by CVE-2023-37920 via certifi (>=2015.4.28 <=2023.5.7)

certifi PYPI version =2015.4.28, =0.3.0, =0.0.2, =0.0.6, =1.0.0, =0.1.0, =0.2.1, =1.0.0, =1.0.2, =0.1.1, =1.0.0, =0.1.0, =0.1.0, =1.0.0 - abuseipdb-wrapper =0.1.7 and more Source cves: CVE-2023-37920 Source advisory: OSV:PYSEC-2023-135...

a2grunnerp (>=0.1.0 <=0.1.8), abuseipdb-wrapper (=0.1.7) +400 more potentially affected by CVE-2022-40896 via pygments (>=1.6.0 <=2.15.0)

pygments PYPI version =1.6.0, =0.1.0, =2.0.0.1, =0.0.1, =1.3.0, =0.3.2, =0.4.0, =1.0.0, =0.4.0, =4.2.0, =4.2.3 and more Source cves: CVE-2022-40896 Source advisory: OSV:PYSEC-2023-117...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +231 more potentially affected by CVE-2023-22888 via apache-airflow (>=1.10.1 <=2.5.3)

apache-airflow PYPI version =1.10.1, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.9b1, =1.0.7, =0.4.0, =0.1.0a1, =0.5.1, =0.1.1, =0.1.1, =1.10.6 and more Source cves: CVE-2023-22888 Source advisory: OSV:PYSEC-2023-105...

aimmo (>=0.4.0b3098 <=0.27.4b5229), battlehack20 (>=1.0.0 <=1.1.0) +6 more potentially affected by CVE-2023-37271 via restrictedpython (>=4.0.0b4 <=5.2.0)

restrictedpython PYPI version =4.0.0b4, =0.4.0b3098, =1.0.0, =1.0.1, =1.1.1, =0.1.0, =0.3.4, =0.0.41, =0.1047.0, =1.7.36 Source cves: CVE-2023-37271 Source advisory: OSV:PYSEC-2023-118...

RHEL 8 : python39:3.9 and python39-devel:3.9 (RHSA-2023:4004)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:4004 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic dat...

aib2ofx (>=0.70.0a1 <=0.71.1), cooar-cli (>=0.1.0 <=0.2.0) +6 more potentially affected by CVE-2023-34457 via mechanicalsoup (>=0.10.0 <=0.9.0.post4)

mechanicalsoup PYPI version =0.10.0, =0.70.0a1, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.2.3, =0.4.11, =0.4.12 Source cves: CVE-2023-34457 Source advisory: OSV:PYSEC-2023-108...

SUSE-SU-2023:2783-1 Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets

This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack,...

aa-charlink (>=0.1.1 <=1.0.0), aa-drifters (=0.1.0a0) +253 more potentially affected by CVE-2023-36053 via django (>=4.0.0 <=4.1.1)

django PYPI version =4.0.0, =0.1.1, =1.0.0, =0.1.0a0, =0.11.0a0, =0.1.1, =1.1.0, =3.1.1, =3.6.4, =0.10.0, =1.1.2, =0.6.3, =0.9.3 and more Source cves: CVE-2023-36053 Source advisory: OSV:GHSA-JH3W-4VVF-MJGR...

New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine...

MGASA-2023-0186 Updated python-reportlab packages fix security vulnerability

Updates python3-reportlab includes a security fix and other minor bug fixes. See references for details...

accord-nlp (>=0.1.0 <=0.1.8), adamix-gpt2 (>=0.0.1 <=0.0.2) +560 more potentially affected by CVE-2023-2800 via transformers (>=2.10.0 <=4.2.2)

transformers PYPI version =2.10.0, =0.1.0, =0.0.1, =0.3.0, =0.1.0, =0.1.0, =0.0.8, =0.0.4, =0.0.4, =0.0.11, =1.8.20, =0.0.3, =1.9.0, =1.0.0, =1.1.0 and more Source cves: CVE-2023-2800 Source advisory: OSV:GHSA-282V-666C-3FVG...

2vyper (=0.3.0), ape-safe (=0.6.0) +27 more potentially affected by CVE-2023-32058 via vyper (>=0.1.0b12 <=0.3.7)

vyper PYPI version =0.1.0b12, =0.7.1, =0.1.0, =0.0.0, =0.0.0, =0.0.5, =0.1.0, =0.1.0, =0.7.2, =0.1.10.0, =1.0.1, =0.1.0, =1.4.0, =0.2.1, =0.3.5 and more Source cves: CVE-2023-32058 Source advisory: OSV:PYSEC-2023-78...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +147 more potentially affected by CVE-2023-30172 via mlflow (>=0.8.2 <=2.0.0rc0)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.8.0, =1.0.0 and more Source cves: CVE-2023-30172 Source advisory: OSV:PYSEC-2023-70...

[SECURITY] Fedora 36 Update: python-setuptools-59.6.0-4.fc36

Setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages. This package also contains the runtime components of setuptools, necessary to execute the software that...