Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer
Announcement ID: | SUSE-RU-2018:4074-1 |
---|---|
Rating: | moderate |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves one vulnerability and has five fixes can now be installed.
Description:
This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:
aws-cli:
- Update to version 1.16.61. (bsc#1088310)
- For detailed changes see https://github.com/aws/aws-cli/blob/1.16.1/CHANGELOG.rst
- Update to version 1.16.1 (bsc#1105988, bsc#1092493)
- CVE-2018-15869: An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, might have unintentionally loaded an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
- Disable vendored versions of requests and six from botocore and use requests and six from the RPM packages.
python-botocore:
- Update to version 1.10.40
- For detailed changes, please refer to the changelog.
- Remove the broken attempt to avoid using the bundeled requests module provided by the source (bsc#1088310)
python-boto3:
- Version update to 1.9.57 (bsc#1118021, bsc#1118027)
- For detailed changes, please refer to the changelog.
python-s3transfer:
- Update to version 0.1.13
- Make sure to really not use any bundles.
- enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption for streaming of S3 uploads and downloads.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Basesystem Module 15
zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2898=1
-
SUSE Package Hub 15
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2018-2898=1
-
Public Cloud Module 15
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2018-2898=1
Package List:
-
Basesystem Module 15 (noarch)
- python3-botocore-1.12.57-3.5.1
- python3-s3transfer-0.1.13-3.3.6
- python3-boto3-1.9.57-3.5.1
-
SUSE Package Hub 15 (noarch)
- python2-s3transfer-0.1.13-3.3.6
- python2-boto3-1.9.57-3.5.1
- python2-botocore-1.12.57-3.5.1
-
Public Cloud Module 15 (noarch)
- aws-cli-1.16.61-4.7.1
References:
- https://www.suse.com/security/cve/CVE-2018-15869.html
- https://bugzilla.suse.com/show_bug.cgi?id=1088310
- https://bugzilla.suse.com/show_bug.cgi?id=1092493
- https://bugzilla.suse.com/show_bug.cgi?id=1098125
- https://bugzilla.suse.com/show_bug.cgi?id=1105988
- https://bugzilla.suse.com/show_bug.cgi?id=1118021
- https://bugzilla.suse.com/show_bug.cgi?id=1118027