| Description: | Summary:
The remote host is missing an update for the 'python39' package(s) announced via the SUSE-SU-2023:2957-1 advisory.
Vulnerability Insight:
This update for python39 fixes the following issues:
Update to 3.9.17:
- urllib.parse.urlsplit() now strips leading C0 control and space
characters following the specification for URLs defined by WHATWG in
response to CVE-2023-24329 (bsc#1208471).
- Fixed a security in flaw in uu.decode() that could allow for directory
traversal based on the input if no out_file was specified.
- Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- CVE-2007-4559: The extraction methods in tarfile, and shutil.unpack_archive(), have
a new filter argument that allows limiting tar features than may be
surprising or dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing bsc#1203750).
- Fixed a deadlock at shutdown when clearing thread states if any
finalizer tries to acquire the runtime head lock.
- Fixed a crash due to a race while iterating over thread states in
clearing threading.local.
Affected Software/OS:
'python39' package(s) on SUSE Linux Enterprise Server 15-SP3, SUSE Linux Enterprise Server for SAP Applications 15-SP3.
Solution:
Please install the updated package(s).
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
