| Description: | Summary:
The remote host is missing an update for the 'python39'
package(s) announced via the SUSE-SU-2023:2957-1 advisory.
Vulnerability Insight:
This update for python39 fixes the following issues:
Update to 3.9.17:
* urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to
CVE-2023-24329 (bsc#1208471).
* Fixed a security in flaw in uu.decode() that could allow for directory
traversal based on the input if no out_file was specified.
* Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
* trace. **main** now uses io.open_code() for files to be executed instead of
raw open().
* CVE-2007-4559: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that allows limiting tar
features than may be surprising or dangerous, such as creating files outside
the destination directory. See Extraction filters for details (fixing
bsc#1203750).
* Fixed a deadlock at shutdown when clearing thread states if any finalizer
tries to acquire the runtime head lock.
* Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
##
Affected Software/OS:
'python39' package(s) on openSUSE Leap 15.4, openSUSE Leap 15.5.
Solution:
Please install the updated package(s).
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
