openSUSE Recommended Update: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer ______________________________________________________________________________ Announcement ID: openSUSE-RU-2018:4114-1 Rating: moderate References: #1088310 #1092493 #1098125 #1105988 #1118021 #1118027 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues: aws-cli: - Update to version 1.16.61. (bsc#1088310) + For detailed changes see https://github.com/aws/aws-cli/blob/1.16.1/CHANGELOG.rst - Update to version 1.16.1 (bsc#1105988, bsc#1092493) + CVE-2018-15869: An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, might have unintentionally loaded an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog. - Disable vendored versions of requests and six from botocore and use requests and six from the RPM packages. python-botocore: - Update to version 1.10.40 + For detailed changes, please refer to the changelog. + Remove the broken attempt to avoid using the bundeled requests module provided by the source (bsc#1088310) python-boto3: - Version update to 1.9.57 (bsc#1118021, bsc#1118027) + For detailed changes, please refer to the changelog. python-s3transfer: - Update to version 0.1.13 - Make sure to really not use any bundles. - enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption for streaming of S3 uploads and downloads. This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-1545=1 Package List: - openSUSE Leap 15.0 (noarch): aws-cli-1.16.61-lp150.3.3.1 python2-boto3-1.9.57-lp150.2.3.1 python2-botocore-1.12.57-lp150.2.3.1 python2-s3transfer-0.1.13-lp150.2.3.1 python3-boto3-1.9.57-lp150.2.3.1 python3-botocore-1.12.57-lp150.2.3.1 python3-s3transfer-0.1.13-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2018-15869.html https://bugzilla.suse.com/1088310 https://bugzilla.suse.com/1092493 https://bugzilla.suse.com/1098125 https://bugzilla.suse.com/1105988 https://bugzilla.suse.com/1118021 https://bugzilla.suse.com/1118027