openSUSE Build Service

Security update for python3

This update for python3 to version 3.6.10 fixes the following issues:

- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

This update was imported from the SUSE:SLE-15:Update update project.

Submitted by Matej Cepl (mcepl)

Fixed bugs

bnc#1149121

python3-base fails on tests - test_weakref hangs

bnc#1159035

Unify python packages over different distributions

bnc#1088004

VUL-1: CVE-2018-1061: python,python3: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib

bnc#1083507

VUL-0: CVE-2017-18207: python,python3: The Wave_read._read_fmt_chunk function in Lib/wave.py does not ensure a nonzero channel value, which allows attackers to cause a denial of service

bnc#1129346

VUL-0: CVE-2019-9636: python3,python27: python: Information Disclosure due to urlsplit improper NFKC normalization

bnc#917607

package summary and description for python3 and python3-base are nearly the same

bnc#885882

VUL-0: CVE-2014-4650: python: CGIHTTPServer does not properly handle encoded URL

bnc#1159622

python3-idle with its giant dependencies should not be a python3-base subpackage

bnc#984751

VUL-1: CVE-2016-0772: python,python3: smtplib StartTLS stripping attack

bnc#747125

VUL-1: CVE-2012-0845: python: (SimpleXMLRPCServer): DoS (excessive CPU usage) via malformed XML-RPC / HTTP POST request

bnc#1109847

VUL-0: CVE-2018-14647: python,python3,python27: Missing salt initialization in _elementtree.c module

bnc#1088573

python3-base: enhancement for buildtime

bnc#1088009

VUL-1: CVE-2018-1060: python,python3: DOS via regular expression catastrophic backtracking in apop() method in pop3lib

bnc#1040164

Missing link to libpython3.6.so

bnc#834601

VUL-0: CVE-2013-4238: python: SSL module does not handle certificates that contain hostnames with NULL bytes

bnc#787526

%py3_incdir is pointing to buildroot path

bnc#743787

python3 on x64 can't import hashlib.

bnc#1151490

Regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL

bnc#985177

VUL-1: CVE-2016-5636: python3,python: Heap overflow in zipimporter module

bnc#1029377

python3: _elementtree module is broken

bnc#1107030

python3 builds without -fwrapv option

bnc#989523

VUL-1: CVE-2016-1000110: python,python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header

bnc#751718

VUL-0: python: hash collision DoS

bnc#1109663

VUL-0: CVE-2018-1000802: python,python3,python27: Command injection in the shutil module

bnc#709442

Remove README.txt from python3-doc

bnc#1149955

VUL-0: CVE-2019-16056: python,python3,python36,python27: The email module wrongly parses email addresses

bnc#658604

Python distutils setup does not allow user installation of Python packages

bnc#1120644

VUL-1: CVE-2018-20406: python3: integer overflow via a large LONG_BINPUT value

bnc#885662

python-3.4 ensurepip is broken

bnc#983582

Python3 issues with distributed version 3.4.1

bnc#1081750

python tarfile uses random order

bnc#1141853

VUL-0: CVE-2018-20852: python,python3,python27: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending cookies to the wrong server

bnc#942751

python3 test / missing __main__ module

bnc#871152

VUL-0: CVE-2014-2667: python3: race in mkdir()

bnc#637176

Python doesn't have the PEP 370 compatible lib64 path

bnc#1027282

Update python to 2.7.13 and python3 to 3.4.6

bnc#809831

virtualenv / easy_install broken for python 3

bnc#1133452

python3: broken debuginfo packages on SLE15