SUSE update for python



Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-3733
CVE-2021-3737
CWE-ID CWE-399
CWE-835
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Workstation Extension
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

python-doc-pdf
Operating systems & Components / Operating system package or component

python-doc
Operating systems & Components / Operating system package or component

python-debuginfo-32bit
Operating systems & Components / Operating system package or component

python-base-debuginfo-32bit
Operating systems & Components / Operating system package or component

python-base-32bit
Operating systems & Components / Operating system package or component

python-32bit
Operating systems & Components / Operating system package or component

libpython2_7-1_0-debuginfo-32bit
Operating systems & Components / Operating system package or component

libpython2_7-1_0-32bit
Operating systems & Components / Operating system package or component

python-xml-debuginfo
Operating systems & Components / Operating system package or component

python-xml
Operating systems & Components / Operating system package or component

python-tk-debuginfo
Operating systems & Components / Operating system package or component

python-tk
Operating systems & Components / Operating system package or component

python-idle
Operating systems & Components / Operating system package or component

python-gdbm-debuginfo
Operating systems & Components / Operating system package or component

python-gdbm
Operating systems & Components / Operating system package or component

python-demo
Operating systems & Components / Operating system package or component

python-debugsource
Operating systems & Components / Operating system package or component

python-debuginfo
Operating systems & Components / Operating system package or component

python-curses-debuginfo
Operating systems & Components / Operating system package or component

python-curses
Operating systems & Components / Operating system package or component

python-base
Operating systems & Components / Operating system package or component

python
Operating systems & Components / Operating system package or component

libpython2_7-1_0-debuginfo
Operating systems & Components / Operating system package or component

libpython2_7-1_0
Operating systems & Components / Operating system package or component

python-devel
Operating systems & Components / Operating system package or component

python-base-debugsource
Operating systems & Components / Operating system package or component

python-base-debuginfo
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU58295

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3733

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application within the AbstractBasicAuthHandler class in urllib. A remote attacker with control over the server can perform regular expression denial of service attack during authentication.

Mitigation

Update the affected package python to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Workstation Extension: 12-SP5

SUSE Linux Enterprise Server: 12-SP5

python-doc-pdf: before 2.7.18-28.74.1

python-doc: before 2.7.18-28.74.1

python-debuginfo-32bit: before 2.7.18-28.74.1

python-base-debuginfo-32bit: before 2.7.18-28.74.2

python-base-32bit: before 2.7.18-28.74.2

python-32bit: before 2.7.18-28.74.1

libpython2_7-1_0-debuginfo-32bit: before 2.7.18-28.74.2

libpython2_7-1_0-32bit: before 2.7.18-28.74.2

python-xml-debuginfo: before 2.7.18-28.74.2

python-xml: before 2.7.18-28.74.2

python-tk-debuginfo: before 2.7.18-28.74.1

python-tk: before 2.7.18-28.74.1

python-idle: before 2.7.18-28.74.1

python-gdbm-debuginfo: before 2.7.18-28.74.1

python-gdbm: before 2.7.18-28.74.1

python-demo: before 2.7.18-28.74.1

python-debugsource: before 2.7.18-28.74.1

python-debuginfo: before 2.7.18-28.74.1

python-curses-debuginfo: before 2.7.18-28.74.1

python-curses: before 2.7.18-28.74.1

python-base: before 2.7.18-28.74.2

python: before 2.7.18-28.74.1

libpython2_7-1_0-debuginfo: before 2.7.18-28.74.2

libpython2_7-1_0: before 2.7.18-28.74.2

python-devel: before 2.7.18-28.74.2

python-base-debugsource: before 2.7.18-28.74.2

python-base-debuginfo: before 2.7.18-28.74.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20213524-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU59089

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3737

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.

Mitigation

Update the affected package python to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Workstation Extension: 12-SP5

SUSE Linux Enterprise Server: 12-SP5

python-doc-pdf: before 2.7.18-28.74.1

python-doc: before 2.7.18-28.74.1

python-debuginfo-32bit: before 2.7.18-28.74.1

python-base-debuginfo-32bit: before 2.7.18-28.74.2

python-base-32bit: before 2.7.18-28.74.2

python-32bit: before 2.7.18-28.74.1

libpython2_7-1_0-debuginfo-32bit: before 2.7.18-28.74.2

libpython2_7-1_0-32bit: before 2.7.18-28.74.2

python-xml-debuginfo: before 2.7.18-28.74.2

python-xml: before 2.7.18-28.74.2

python-tk-debuginfo: before 2.7.18-28.74.1

python-tk: before 2.7.18-28.74.1

python-idle: before 2.7.18-28.74.1

python-gdbm-debuginfo: before 2.7.18-28.74.1

python-gdbm: before 2.7.18-28.74.1

python-demo: before 2.7.18-28.74.1

python-debugsource: before 2.7.18-28.74.1

python-debuginfo: before 2.7.18-28.74.1

python-curses-debuginfo: before 2.7.18-28.74.1

python-curses: before 2.7.18-28.74.1

python-base: before 2.7.18-28.74.2

python: before 2.7.18-28.74.1

libpython2_7-1_0-debuginfo: before 2.7.18-28.74.2

libpython2_7-1_0: before 2.7.18-28.74.2

python-devel: before 2.7.18-28.74.2

python-base-debugsource: before 2.7.18-28.74.2

python-base-debuginfo: before 2.7.18-28.74.2

CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20213524-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###