Mehrere Probleme in SUSE Enterprise Storage
ID: | SUSE-SU-2021:0048-1 |
Distribution: | SUSE |
Plattformen: | SUSE Enterprise Storage 6 |
Datum: | Fr, 8. Januar 2021, 21:27 |
Referenzen: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427 |
Applikationen: | SUSE Enterprise Storage |
Originalnachricht |
|
SUSE Security Update: Security update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0048-1 Rating: moderate References: #1019074 #1041090 #1177200 Cross-References: CVE-2017-11427 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec fixes the following issues: - Update to 0.6.0 - Increase test coverage. - Add badges to README. - Test on Python 3.7 stable and 3.8-dev - Drop support for Python 3.4 - No longer pass *html* argument to XMLParse. It has been deprecated and ignored for a long time. The DefusedXMLParser still takes a html argument. A deprecation warning is issued when the argument is False and a TypeError when it's True. - defusedxml now fails early when pyexpat stdlib module is not available or broken. - defusedxml.ElementTree.__all__ now lists ParseError as public attribute. - The defusedxml.ElementTree and defusedxml.cElementTree modules had a typo and used XMLParse instead of XMLParser as an alias for DefusedXMLParser. Both the old and fixed name are now available. - Remove superfluous devel dependency for noarch package - Update to 5.0 * Add compatibility with Python 3.6 * Drop support for Python 2.6, 3.1, 3.2, 3.3 * Fix lxml tests (XMLSyntaxError: Detected an entity reference loop) - Implement single-spec version. - Dummy changelog for bsc#1019074, FATE#322329 - Add dependency on the full python (which is not pulled by setuptools anymore). Use %{pythons} macro now. (bsc#1177200) - Upgrade to 0.3.12: * Refactor classes to functions * Ignore Selenium * Move to pytest * Conditionally patch time.clock (removed in 3.8) * Patch time.time_ns added in Python 3.7 - Do not require python2 module for building python3 module - Update to 0.3.11: * Performance improvements * Fix nesting time.time * Add nanosecond property - Remove superfluous devel dependency for noarch package - Add remove_dependency_on_mock.patch which removes dependency on python-mock for Python 3, where it is not required. - update to 0.3.10 * Performance improvements * Coroutine support - update to version 0.3.9 * If no time to be frozen, use current time * Fix uuid1 issues * Add support for python 3.6 update to version 0.3.8 * Improved unpatching when importing modules after freeze_time start() * Add manual increment via tick method * Fix bug with time.localtime not being reset. Closes #112. * Fix test to work when current timezone is GMT-14 or GMT+14. * Fixed #162 - allow decorating old-style classes. * Add support to PyMySQL * Assume the default time to freeze is "now". * Register fake types in PyMySQL conversions * Ignore threading and Queue modules. Closes #129. * Lock down coverage version since new coverage doesnt support py3.2 * Fix or py3 astimezone and not passing tz. Closes #138. * Add note about deafult arguments. Closes #140. * Add license info. Closes #120. - Update to 0.3.5 * No upstream changelog - Remove unneeded freeze_hideDeps.patch - Use download Url as source - Use tarball provided by pypi - update to 1.5.1 * Use poetry instead of setuptools directly * Fix #42: raise exception if package is missing * Fix version parsing for openssl-like version numbers, fixes #32 * Add boolean static keyword to output private libraries as well * Raise original OSError as well - Add missing test dependency pkgconfig Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-48=1 Package List: - SUSE Enterprise Storage 6 (aarch64 x86_64): python3-xmlsec-1.3.6-1.5.1 python3-xmlsec-debuginfo-1.3.6-1.5.1 - SUSE Enterprise Storage 6 (noarch): python3-defusedxml-0.6.0-1.5.1 python3-freezegun-0.3.12-1.5.1 python3-isodate-0.6.0-1.3.2 python3-pkgconfig-1.5.1-1.5.1 python3-python3-saml-1.9.0-1.5.2 References: https://www.suse.com/security/cve/CVE-2017-11427.html https://bugzilla.suse.com/1019074 https://bugzilla.suse.com/1041090 https://bugzilla.suse.com/1177200 |