| Description: | Summary:
The remote host is missing an update for the 'python310'
package(s) announced via the SUSE-SU-2023:2884-1 advisory.
Vulnerability Insight:
This update for python310 fixes the following issues:
* Make marshalling of `set` and `frozenset` deterministic (bsc#1211765)
python310 was updated to 3.10.12:
* urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to
CVE-2023-24329 (bsc#1208471).
* Fixed a security in flaw in uu.decode() that could allow for directory
traversal based on the input if no out_file was specified.
* Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
* trace. **main** now uses io.open_code() for files to be executed instead of
raw open().
* CVE-2007-4559: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that allows limiting tar
features than may be surprising or dangerous, such as creating files outside
the destination directory. See Extraction filters for details (fixing
bsc#1203750).
##
Affected Software/OS:
'python310' package(s) on openSUSE Leap 15.4, openSUSE Leap 15.5.
Solution:
Please install the updated package(s).
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
