SUSE update for python
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-18348 CVE-2021-23336 |
| CWE-ID | CWE-74 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise Workstation Extension Operating systems & Components / Operating system SUSE OpenStack Cloud Crowbar Operating systems & Components / Operating system HPE Helion Openstack Operating systems & Components / Operating system SUSE OpenStack Cloud Operating systems & Components / Operating system python-doc-pdf Operating systems & Components / Operating system package or component python-doc Operating systems & Components / Operating system package or component python-xml-debuginfo Operating systems & Components / Operating system package or component python-xml Operating systems & Components / Operating system package or component python-tk-debuginfo Operating systems & Components / Operating system package or component python-tk Operating systems & Components / Operating system package or component python-idle Operating systems & Components / Operating system package or component python-gdbm-debuginfo Operating systems & Components / Operating system package or component python-gdbm Operating systems & Components / Operating system package or component python-devel Operating systems & Components / Operating system package or component python-demo Operating systems & Components / Operating system package or component python-debugsource Operating systems & Components / Operating system package or component python-debuginfo-32bit Operating systems & Components / Operating system package or component python-debuginfo Operating systems & Components / Operating system package or component python-curses-debuginfo Operating systems & Components / Operating system package or component python-curses Operating systems & Components / Operating system package or component python-base-debugsource Operating systems & Components / Operating system package or component python-base-debuginfo-32bit Operating systems & Components / Operating system package or component python-base-debuginfo Operating systems & Components / Operating system package or component python-base-32bit Operating systems & Components / Operating system package or component python-base Operating systems & Components / Operating system package or component python-32bit Operating systems & Components / Operating system package or component python Operating systems & Components / Operating system package or component libpython2_7-1_0-debuginfo-32bit Operating systems & Components / Operating system package or component libpython2_7-1_0-debuginfo Operating systems & Components / Operating system package or component libpython2_7-1_0-32bit Operating systems & Components / Operating system package or component libpython2_7-1_0 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) CRLF injection
EUVDB-ID: #VU31958
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18348
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
MitigationUpdate the affected package python to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE Linux Enterprise Workstation Extension: 12-SP5
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
python-doc-pdf: before 2.7.18-28.67.1
python-doc: before 2.7.18-28.67.1
python-xml-debuginfo: before 2.7.18-28.67.1
python-xml: before 2.7.18-28.67.1
python-tk-debuginfo: before 2.7.18-28.67.1
python-tk: before 2.7.18-28.67.1
python-idle: before 2.7.18-28.67.1
python-gdbm-debuginfo: before 2.7.18-28.67.1
python-gdbm: before 2.7.18-28.67.1
python-devel: before 2.7.18-28.67.1
python-demo: before 2.7.18-28.67.1
python-debugsource: before 2.7.18-28.67.1
python-debuginfo-32bit: before 2.7.18-28.67.1
python-debuginfo: before 2.7.18-28.67.1
python-curses-debuginfo: before 2.7.18-28.67.1
python-curses: before 2.7.18-28.67.1
python-base-debugsource: before 2.7.18-28.67.1
python-base-debuginfo-32bit: before 2.7.18-28.67.1
python-base-debuginfo: before 2.7.18-28.67.1
python-base-32bit: before 2.7.18-28.67.1
python-base: before 2.7.18-28.67.1
python-32bit: before 2.7.18-28.67.1
python: before 2.7.18-28.67.1
libpython2_7-1_0-debuginfo-32bit: before 2.7.18-28.67.1
libpython2_7-1_0-debuginfo: before 2.7.18-28.67.1
libpython2_7-1_0-32bit: before 2.7.18-28.67.1
libpython2_7-1_0: before 2.7.18-28.67.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:9:*:*:*:*:*:*:*
- cpe:2.3:o:suse:hpe_helion_openstack:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud:7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:python-doc-pdf:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-xml-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-xml:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-tk-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-tk:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-idle:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-gdbm-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-gdbm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-demo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-curses-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-curses:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20210794-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU50814
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23336
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform web cache spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input in django.utils.http.limited_parse_qsl() when parsing strings with a semicolon (";"). A remote attacker can pass specially crafted data to the application and perform a spoofing attack.
MitigationUpdate the affected package python to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE Linux Enterprise Workstation Extension: 12-SP5
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
python-doc-pdf: before 2.7.18-28.67.1
python-doc: before 2.7.18-28.67.1
python-xml-debuginfo: before 2.7.18-28.67.1
python-xml: before 2.7.18-28.67.1
python-tk-debuginfo: before 2.7.18-28.67.1
python-tk: before 2.7.18-28.67.1
python-idle: before 2.7.18-28.67.1
python-gdbm-debuginfo: before 2.7.18-28.67.1
python-gdbm: before 2.7.18-28.67.1
python-devel: before 2.7.18-28.67.1
python-demo: before 2.7.18-28.67.1
python-debugsource: before 2.7.18-28.67.1
python-debuginfo-32bit: before 2.7.18-28.67.1
python-debuginfo: before 2.7.18-28.67.1
python-curses-debuginfo: before 2.7.18-28.67.1
python-curses: before 2.7.18-28.67.1
python-base-debugsource: before 2.7.18-28.67.1
python-base-debuginfo-32bit: before 2.7.18-28.67.1
python-base-debuginfo: before 2.7.18-28.67.1
python-base-32bit: before 2.7.18-28.67.1
python-base: before 2.7.18-28.67.1
python-32bit: before 2.7.18-28.67.1
python: before 2.7.18-28.67.1
libpython2_7-1_0-debuginfo-32bit: before 2.7.18-28.67.1
libpython2_7-1_0-debuginfo: before 2.7.18-28.67.1
libpython2_7-1_0-32bit: before 2.7.18-28.67.1
libpython2_7-1_0: before 2.7.18-28.67.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-LTSS-ERICSSON:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP2-BCL:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP3-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:12-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud_crowbar:9:*:*:*:*:*:*:*
- cpe:2.3:o:suse:hpe_helion_openstack:8:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_openstack_cloud:7:*:*:*:*:*:*:*
- cpe:2.3:o:suse:python-doc-pdf:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-xml-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-xml:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-tk-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-tk:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-idle:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-gdbm-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-gdbm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-demo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-curses-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-curses:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:python:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:libpython2_7-1_0:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20210794-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
