Security update for python-sqlparse SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:3857-1 Final 1 1 2021-12-01T16:02:13Z current 2021-12-01T16:02:13Z 2021-12-01T16:02:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-sqlparse This update for python-sqlparse fixes the following issues: - CVE-2021-32839: Fixed ReDoS via regular expression in StripComments filter (bsc#1190741). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3857,SUSE-SLE-Module-Basesystem-15-SP3-2021-3857 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20213857-1/ Link for SUSE-SU-2021:3857-1 https://lists.suse.com/pipermail/sle-security-updates/2021-December/009797.html E-Mail link for SUSE-SU-2021:3857-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190741 SUSE Bug 1190741 https://www.suse.com/security/cve/CVE-2021-32839/ SUSE CVE CVE-2021-32839 page SUSE Linux Enterprise Module for Basesystem 15 SP3 python3-sqlparse-0.4.2-3.3.1 python3-sqlparse-0.4.2-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2. CVE-2021-32839 SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-sqlparse-0.4.2-3.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213857-1/ https://www.suse.com/security/cve/CVE-2021-32839.html CVE-2021-32839 https://bugzilla.suse.com/1190741 SUSE Bug 1190741