openSUSE Security Update: python: update to 2.7.6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0380-1 Rating: moderate References: #637176 #831442 #856835 #856836 #857470 #863741 Cross-References: CVE-2013-1752 CVE-2013-1753 CVE-2013-4238 CVE-2014-1912 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: Python was updated to 2.7.6 to fix bugs and security issues: * bugfix-only release * SSL-related fixes * upstream fix for CVE-2013-4238 * upstream fixes for CVE-2013-1752 - added patches for CVE-2013-1752 (bnc#856836) issues that are missing in 2.7.6: python-2.7.6-imaplib.patch python-2.7.6-poplib.patch smtplib_maxline-2.7.patch - CVE-2013-1753 (bnc#856835) gzip decompression bomb in xmlrpc client: xmlrpc_gzip_27.patch - python-2.7.6-bdist-rpm.patch: fix broken "setup.py bdist_rpm" command (bnc#857470, issue18045) - multilib patch: add "~/.local/lib64" paths to search path (bnc#637176) - CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) - Add Obsoletes/Provides for python-ctypes. - reintroduce audioop.so as the problems with it seem to be fixed (bnc#831442) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-213 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): libpython2_7-1_0-2.7.6-8.6.1 libpython2_7-1_0-debuginfo-2.7.6-8.6.1 python-2.7.6-8.6.1 python-base-2.7.6-8.6.1 python-base-debuginfo-2.7.6-8.6.1 python-base-debugsource-2.7.6-8.6.1 python-curses-2.7.6-8.6.1 python-curses-debuginfo-2.7.6-8.6.1 python-debuginfo-2.7.6-8.6.1 python-debugsource-2.7.6-8.6.1 python-demo-2.7.6-8.6.1 python-devel-2.7.6-8.6.1 python-gdbm-2.7.6-8.6.1 python-gdbm-debuginfo-2.7.6-8.6.1 python-idle-2.7.6-8.6.1 python-tk-2.7.6-8.6.1 python-tk-debuginfo-2.7.6-8.6.1 python-xml-2.7.6-8.6.1 python-xml-debuginfo-2.7.6-8.6.1 - openSUSE 13.1 (x86_64): libpython2_7-1_0-32bit-2.7.6-8.6.1 libpython2_7-1_0-debuginfo-32bit-2.7.6-8.6.1 python-32bit-2.7.6-8.6.1 python-base-32bit-2.7.6-8.6.1 python-base-debuginfo-32bit-2.7.6-8.6.1 python-debuginfo-32bit-2.7.6-8.6.1 - openSUSE 13.1 (noarch): python-doc-2.7.6-8.6.1 python-doc-pdf-2.7.6-8.6.1 References: http://support.novell.com/security/cve/CVE-2013-1752.html http://support.novell.com/security/cve/CVE-2013-1753.html http://support.novell.com/security/cve/CVE-2013-4238.html http://support.novell.com/security/cve/CVE-2014-1912.html https://bugzilla.novell.com/637176 https://bugzilla.novell.com/831442 https://bugzilla.novell.com/856835 https://bugzilla.novell.com/856836 https://bugzilla.novell.com/857470 https://bugzilla.novell.com/863741