Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer

Announcement ID: SUSE-RU-2018:4074-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2018-15869 ( SUSE ): 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2018-15869 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
  • Basesystem Module 15
  • Public Cloud Module 15
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15
  • SUSE Package Hub 15

An update that solves one vulnerability and has five fixes can now be installed.

Description:

This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:

aws-cli:

  • Update to version 1.16.61. (bsc#1088310)
  • For detailed changes see https://github.com/aws/aws-cli/blob/1.16.1/CHANGELOG.rst
  • Update to version 1.16.1 (bsc#1105988, bsc#1092493)
  • CVE-2018-15869: An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, might have unintentionally loaded an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
  • Disable vendored versions of requests and six from botocore and use requests and six from the RPM packages.

python-botocore:

  • Update to version 1.10.40
  • For detailed changes, please refer to the changelog.
  • Remove the broken attempt to avoid using the bundeled requests module provided by the source (bsc#1088310)

python-boto3:

  • Version update to 1.9.57 (bsc#1118021, bsc#1118027)
  • For detailed changes, please refer to the changelog.

python-s3transfer:

  • Update to version 0.1.13
  • Make sure to really not use any bundles.
  • enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption for streaming of S3 uploads and downloads.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2898=1
  • SUSE Package Hub 15
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2018-2898=1
  • Public Cloud Module 15
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2018-2898=1

Package List:

  • Basesystem Module 15 (noarch)
    • python3-botocore-1.12.57-3.5.1
    • python3-s3transfer-0.1.13-3.3.6
    • python3-boto3-1.9.57-3.5.1
  • SUSE Package Hub 15 (noarch)
    • python2-s3transfer-0.1.13-3.3.6
    • python2-boto3-1.9.57-3.5.1
    • python2-botocore-1.12.57-3.5.1
  • Public Cloud Module 15 (noarch)
    • aws-cli-1.16.61-4.7.1

References: