Security update for python-arcomplete, python-Fabric, python-PyGithub, python-antlr4-python3-runtime, python-avro, python-chardet, python-distro, python-docker, python-fakeredis, python-fixedint, pyth

Announcement ID: SUSE-SU-2024:1639-2
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2023-28858 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2023-28858 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2023-28859 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2023-28859 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • openSUSE Leap 15.5
  • openSUSE Leap 15.6
  • Public Cloud Module 15-SP6
  • Python 3 Module 15-SP6
  • SUSE Linux Enterprise Desktop 15 SP6
  • SUSE Linux Enterprise Real Time 15 SP6
  • SUSE Linux Enterprise Server 15 SP6
  • SUSE Linux Enterprise Server for SAP Applications 15 SP6
  • SUSE Package Hub 15 15-SP6

An update that solves two vulnerabilities and has four security fixes can now be installed.

Description:

This update for python-argcomplete, python-Fabric, python-PyGithub, python-antlr4-python3-runtime, python-avro, python-chardet, python-distro, python-docker, python-fakeredis, python-fixedint, python-httplib2, python-httpretty, python-javaproperties, python-jsondiff, python-knack, python-marshmallow, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-opentelemetry-sdk, python-opentelemetry-semantic-conventions, python-opentelemetry-test-utils, python-pycomposefile, python-pydash, python-redis, python-retrying, python-semver, python-sshtunnel, python-strictyaml, python-sure, python-vcrpy, python-xmltodict contains the following fixes:

Changes in python-argcomplete - Update to 3.3.0 (bsc#1222880): * Preserve compatibility with argparse option tuples of length 4. This update is required to use argcomplete on Python 3.11.9+ or 3.12.3+. - update to 3.2.3: * Allow register-python-argcomplete output to be used as lazy-loaded zsh completion module (#475) - Move debug_stream initialization to helper method to allow fd 9 behavior to be overridden in subclasses (#471)

Changes in python-Fabric: - Update to 3.2.2 - add fix-test-deps.patch to remove vendored dependencies *[Bug]: fabric.runners.Remote failed to properly deregister its SIGWINCH signal handler on shutdown; in rare situations this could cause tracebacks when the Python process receives SIGWINCH while no remote session is active. This has been fixed. * [Bug] #2204: The signal handling functionality added in Fabric 2.6 caused unrecoverable tracebacks when invoked from inside a thread (such as the use of fabric.group.ThreadingGroup) under certain interpreter versions. This has been fixed by simply refusing to register signal handlers when not in the main thread. Thanks to Francesco Giordano and others for the reports. * [Bug]: Neglected to actually add deprecated to our runtime dependency specification (it was still in our development dependencies). This has been fixed. * [Feature]: Enhanced fabric.testing in ways large and small: Backwards-compatibly merged the functionality of MockSFTP into MockRemote (may be opted-into by instantiating the latter with enable_sftp=True) so you can mock out both SSH and SFTP functionality in the same test, which was previously impossible. It also means you can use this in a Pytest autouse fixture to prevent any tests from accidentally hitting the network! A new pytest fixture, remote_with_sftp, has been added which leverages the previous bullet point (an all-in-one fixture suitable for, eg, preventing any incidental ssh/sftp attempts during test execution). A pile of documentation and test enhancements (yes, testing our testing helpers is a thing). * [Support]: Added a new runtime dependency on the Deprecated library. * [Support]: Language update: applied s/sanity/safety/g to the codebase (with the few actual API members using the term now marked deprecated & new ones added in the meantime, mostly in fabric.testing). * [Feature]: Add a new CLI flag to fab, fab --list-agent-keys, which will attempt to connect to your local SSH agent and print a key list, similarly to ssh-add -l. This is mostly useful for expectations-checking Fabric and Paramiko’s agent functionality, or for situations where you might not have ssh-add handy. * [Feature]: Implement opt-in support for Paramiko 3.2’s AuthStrategy machinery, as follows: Added a new module and class, fabric.auth.OpenSSHAuthStrategy, which leverages aforementioned new Paramiko functionality to marry loaded SSH config files with Fabric-level and runtime-level parameters, arriving at what should be OpenSSH-client-compatible authentication behavior. See its API docs for details. Added new configuration settings: authentication.strategy_class, which defaults to None, but can be set to OpenSSHAuthStrategy to opt-in to the new behavior. authentication.identities, which defaults to the empty list, and can be a list of private key paths for use by the new strategy class. * [Bug] #2263: Explicitly add our dependency on decorator to setup.py instead of using Invoke’s old, now removed, vendored copy of same. This allows Fabric to happily use Invoke 2.1 and above

Changes in python-PyGithub: - Switch package to modern Python Stack on SLE-15 + Add %{?sle15_python_module_pythons} + Drop %{?!python_module:%define python_module() python-%{} python3-%{}} + Drop %define skip_python2 1

Changes in python-distro: - Switch to autosetup macro.

set first, othewise a "ValueError: Cannot set verify_mode to CERT_NONE when check_hostname instead (bnc#761162) item not in cache - initial version of python-httplib2 (0.2.0) Changes in python-httpretty: - Add patch 0001-Fix-test_417_openssl.py-if-pyOpenSSL-not-available.patch: * Fix tests without pyOpenSSL support in urllib3

Changes in python-javaproperties: - Switch package to modern Python Stack on SLE-15 + Add %{?sle15_python_module_pythons}


v0.8.0 (2020-11-28)


Changes in python-opencensus: - Add Obsoletes for old python3 package on SLE-15 - Switch build system from setuptools to pyproject.toml + Add python-pip and python-wheel to BuildRequires + Replace %python_build with %pyproject_wheel + Replace %python_install with %pyproject_install - Update to 0.11.4 * Changed bit-mapping for httpx and fastapi integrations - Refresh patches for new version * opencensus-pr1002-remove-mock.patch - Switch package to modern Python Stack on SLE-15 * Add %{?sle15_python_module_pythons} * Drop %{?!python_module:%define python_module() python-%{} python3-%{}}

Changes in python-opencensus-context: - Clean up the SPEC file - Switch package to modern Python Stack on SLE-15 + Add %{?sle15_python_module_pythons} + Drop %{?!python_module:%define python_module() python-%{} python3-%{}} - Update to 0.1.3 * Move version.py file into runtime_context folder (#1143) Changes in python-opencensus-ext-threading: - Switch package to modern Python Stack on SLE-15 + Add %{?sle15_python_module_pythons} + Drop %{?!python_module:%define python_module() python-%{} python3-%{}} + Drop build support for Python 2.x Changes in python-opentelemetry-api: - update to 1.23.0: * Use Attribute rather than boundattribute in logrecord (#3567) * Fix flush error when no LoggerProvider configured for LoggingHandler (#3608) * Fix OTLPMetricExporter ignores preferred_aggregation property (#3603) * Logs: set observed_timestamp field (#3565) * Add missing Resource SchemaURL in OTLP exporters (#3652) * Fix loglevel warning text (#3566) * Prometheus Exporter string representation for target_info labels (#3659) * Logs: ObservedTimestamp field is missing in console exporter output (#3564) * Fix explicit bucket histogram aggregation (#3429) * Add code.lineno, code.function and code.filepath to all logs (#3645) * Add Synchronous Gauge instrument (#3462) * Drop support for 3.7 (#3668) * Include key in attribute sequence warning (#3639) * Upgrade markupsafe, Flask and related dependencies to dev and test environments (#3609) * Handle HTTP 2XX responses as successful in OTLP exporters (#3623) * Improve Resource Detector timeout messaging (#3645) * Add Proxy classes for logging (#3575) * Remove dependency on 'backoff' library (#3679)









Changes in python-strictyaml:

Changes in python-vcrpy: - Update to 6.0.1 * BREAKING: Fix issue with httpx support (thanks @parkerhancock) in #784. * BREAKING: Drop support for boto (vcrpy still supports boto3, but is dropping the deprecated boto support in this release. (thanks @jairhenrique) * Fix compatibility issue with Python 3.12 (thanks @hartwork) * Drop simplejson (fixes some compatibility issues) (thanks @jairhenrique) * Run CI on Python 3.12 and PyPy 3.9-3.10 (thanks @mgorny) * Various linting and docs improvements (thanks @jairhenrique) * Tornado fixes (thanks @graingert)

Changes in python-xmltodict: - Clean up the SPEC file.

Changes in python-asgiref:

First package shipment.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

Package List:

References: