Security update for python

Announcement ID:	SUSE-SU-2019:0223-1
Rating:	important
References:	bsc#1122191 bsc#984751 bsc#985177 bsc#985348 bsc#989523
Cross-References:	CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2019-5010
CVSS scores:	CVE-2016-0772 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2016-1000110 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2016-5636 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-5636 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5699 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-5010 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5010 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves five vulnerabilities can now be installed.

Description:

This update for python fixes the following issues:

Security issues fixed:

• CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751)
• CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177)
• CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348)
• CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523)
• CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2019-223=1

Package List:

• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • python-2.7.9-16.7.1
  • python-base-debuginfo-2.7.9-16.7.2
  • python-tk-debuginfo-2.7.9-16.7.1
  • python-xml-debuginfo-2.7.9-16.7.2
  • python-curses-2.7.9-16.7.1
  • python-base-2.7.9-16.7.2
  • python-idle-2.7.9-16.7.1
  • python-demo-2.7.9-16.7.1
  • python-curses-debuginfo-2.7.9-16.7.1
  • python-debugsource-2.7.9-16.7.1
  • python-base-debugsource-2.7.9-16.7.2
  • python-debuginfo-2.7.9-16.7.1
  • python-gdbm-debuginfo-2.7.9-16.7.1
  • libpython2_7-1_0-2.7.9-16.7.2
  • python-xml-2.7.9-16.7.2
  • python-tk-2.7.9-16.7.1
  • libpython2_7-1_0-debuginfo-2.7.9-16.7.2
  • python-gdbm-2.7.9-16.7.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • python-doc-pdf-2.7.9-16.7.2
  • python-doc-2.7.9-16.7.2
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • python-base-32bit-2.7.9-16.7.2
  • libpython2_7-1_0-32bit-2.7.9-16.7.2
  • libpython2_7-1_0-debuginfo-32bit-2.7.9-16.7.2
  • python-debuginfo-32bit-2.7.9-16.7.1
  • python-base-debuginfo-32bit-2.7.9-16.7.2
  • python-32bit-2.7.9-16.7.1

References:

• https://www.suse.com/security/cve/CVE-2016-0772.html
• https://www.suse.com/security/cve/CVE-2016-1000110.html
• https://www.suse.com/security/cve/CVE-2016-5636.html
• https://www.suse.com/security/cve/CVE-2016-5699.html
• https://www.suse.com/security/cve/CVE-2019-5010.html
• https://bugzilla.suse.com/show_bug.cgi?id=1122191
• https://bugzilla.suse.com/show_bug.cgi?id=984751
• https://bugzilla.suse.com/show_bug.cgi?id=985177
• https://bugzilla.suse.com/show_bug.cgi?id=985348
• https://bugzilla.suse.com/show_bug.cgi?id=989523