Security update for python3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0947-1 Final 1 1 2021-03-24T13:31:16Z current 2021-03-24T13:31:16Z 2021-03-24T13:31:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container caasp/v4/389-ds:1.4.2-2021-947,Container caasp/v4/hyperkube:v1.17.17-2021-947,Container caasp/v4/k8s-sidecar:0.1.75-2021-947,Container ses/6/cephcsi/cephcsi:latest-2021-947,Container ses/6/rook/ceph:latest-2021-947,Container ses/7/cephcsi/cephcsi:latest-2021-947,Container ses/7/prometheus-webhook-snmp:latest-2021-947,Container ses/7/rook/ceph:latest-2021-947,Container suse/sles/15.2/virt-handler:0.38.1-2021-947,Container suse/sles/15.2/virt-launcher:0.38.1-2021-947,SUSE-2021-947,SUSE-SLE-Module-Basesystem-15-SP2-2021-947,SUSE-SLE-Module-Development-Tools-15-SP2-2021-947,SUSE-SUSE-MicroOS-5.0-2021-947 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210947-1/ Link for SUSE-SU-2021:0947-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008556.html E-Mail link for SUSE-SU-2021:0947-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182379 SUSE Bug 1182379 https://www.suse.com/security/cve/CVE-2021-23336/ SUSE CVE CVE-2021-23336 page Container caasp/v4/389-ds:1.4.2 Container caasp/v4/hyperkube:v1.17.17 Container caasp/v4/k8s-sidecar:0.1.75 Container ses/6/cephcsi/cephcsi:latest Container ses/6/rook/ceph:latest Container ses/7/cephcsi/cephcsi:latest Container ses/7/prometheus-webhook-snmp:latest Container ses/7/rook/ceph:latest Container suse/sles/15.2/virt-handler:0.38.1 Container suse/sles/15.2/virt-launcher:0.38.1 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 libpython3_6m1_0-3.6.13-3.78.1 python3-3.6.13-3.78.1 python3-base-3.6.13-3.78.1 python3-curses-3.6.13-3.78.1 libpython3_6m1_0-32bit-3.6.13-3.78.1 libpython3_6m1_0-64bit-3.6.13-3.78.1 python3-32bit-3.6.13-3.78.1 python3-64bit-3.6.13-3.78.1 python3-base-32bit-3.6.13-3.78.1 python3-base-64bit-3.6.13-3.78.1 python3-dbm-3.6.13-3.78.1 python3-devel-3.6.13-3.78.1 python3-doc-3.6.13-3.78.1 python3-doc-devhelp-3.6.13-3.78.1 python3-idle-3.6.13-3.78.1 python3-testsuite-3.6.13-3.78.1 python3-tk-3.6.13-3.78.1 python3-tools-3.6.13-3.78.1 libpython3_6m1_0-3.6.13-3.78.1 as a component of Container caasp/v4/389-ds:1.4.2 python3-3.6.13-3.78.1 as a component of Container caasp/v4/389-ds:1.4.2 python3-base-3.6.13-3.78.1 as a component of Container caasp/v4/389-ds:1.4.2 libpython3_6m1_0-3.6.13-3.78.1 as a component of Container caasp/v4/hyperkube:v1.17.17 python3-3.6.13-3.78.1 as a component of Container caasp/v4/hyperkube:v1.17.17 python3-base-3.6.13-3.78.1 as a component of Container caasp/v4/hyperkube:v1.17.17 libpython3_6m1_0-3.6.13-3.78.1 as a component of Container caasp/v4/k8s-sidecar:0.1.75 python3-3.6.13-3.78.1 as a component of Container caasp/v4/k8s-sidecar:0.1.75 python3-base-3.6.13-3.78.1 as a component of Container caasp/v4/k8s-sidecar:0.1.75 libpython3_6m1_0-3.6.13-3.78.1 as a component of Container ses/6/cephcsi/cephcsi:latest python3-3.6.13-3.78.1 as a component of Container ses/6/cephcsi/cephcsi:latest python3-base-3.6.13-3.78.1 as a component of Container ses/6/cephcsi/cephcsi:latest libpython3_6m1_0-3.6.13-3.78.1 as a component of Container ses/6/rook/ceph:latest python3-3.6.13-3.78.1 as a component of Container ses/6/rook/ceph:latest python3-base-3.6.13-3.78.1 as a component of Container ses/6/rook/ceph:latest libpython3_6m1_0-3.6.13-3.78.1 as a component of Container ses/7/cephcsi/cephcsi:latest python3-3.6.13-3.78.1 as a component of Container ses/7/cephcsi/cephcsi:latest python3-base-3.6.13-3.78.1 as a component of Container ses/7/cephcsi/cephcsi:latest python3-curses-3.6.13-3.78.1 as a component of Container ses/7/cephcsi/cephcsi:latest libpython3_6m1_0-3.6.13-3.78.1 as a component of Container ses/7/prometheus-webhook-snmp:latest python3-base-3.6.13-3.78.1 as a component of Container ses/7/prometheus-webhook-snmp:latest libpython3_6m1_0-3.6.13-3.78.1 as a component of Container ses/7/rook/ceph:latest python3-3.6.13-3.78.1 as a component of Container ses/7/rook/ceph:latest python3-base-3.6.13-3.78.1 as a component of Container ses/7/rook/ceph:latest python3-curses-3.6.13-3.78.1 as a component of Container ses/7/rook/ceph:latest libpython3_6m1_0-3.6.13-3.78.1 as a component of Container suse/sles/15.2/virt-handler:0.38.1 python3-base-3.6.13-3.78.1 as a component of Container suse/sles/15.2/virt-handler:0.38.1 libpython3_6m1_0-3.6.13-3.78.1 as a component of Container suse/sles/15.2/virt-launcher:0.38.1 python3-base-3.6.13-3.78.1 as a component of Container suse/sles/15.2/virt-launcher:0.38.1 libpython3_6m1_0-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Micro 5.0 python3-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Micro 5.0 python3-base-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Micro 5.0 libpython3_6m1_0-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-base-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-curses-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-dbm-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-devel-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-idle-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-tk-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-tools-3.6.13-3.78.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. CVE-2021-23336 Container caasp/v4/389-ds:1.4.2:libpython3_6m1_0-3.6.13-3.78.1 Container caasp/v4/389-ds:1.4.2:python3-3.6.13-3.78.1 Container caasp/v4/389-ds:1.4.2:python3-base-3.6.13-3.78.1 Container caasp/v4/hyperkube:v1.17.17:libpython3_6m1_0-3.6.13-3.78.1 Container caasp/v4/hyperkube:v1.17.17:python3-3.6.13-3.78.1 Container caasp/v4/hyperkube:v1.17.17:python3-base-3.6.13-3.78.1 Container caasp/v4/k8s-sidecar:0.1.75:libpython3_6m1_0-3.6.13-3.78.1 Container caasp/v4/k8s-sidecar:0.1.75:python3-3.6.13-3.78.1 Container caasp/v4/k8s-sidecar:0.1.75:python3-base-3.6.13-3.78.1 Container ses/6/cephcsi/cephcsi:latest:libpython3_6m1_0-3.6.13-3.78.1 Container ses/6/cephcsi/cephcsi:latest:python3-3.6.13-3.78.1 Container ses/6/cephcsi/cephcsi:latest:python3-base-3.6.13-3.78.1 Container ses/6/rook/ceph:latest:libpython3_6m1_0-3.6.13-3.78.1 Container ses/6/rook/ceph:latest:python3-3.6.13-3.78.1 Container ses/6/rook/ceph:latest:python3-base-3.6.13-3.78.1 Container ses/7/cephcsi/cephcsi:latest:libpython3_6m1_0-3.6.13-3.78.1 Container ses/7/cephcsi/cephcsi:latest:python3-3.6.13-3.78.1 Container ses/7/cephcsi/cephcsi:latest:python3-base-3.6.13-3.78.1 Container ses/7/cephcsi/cephcsi:latest:python3-curses-3.6.13-3.78.1 Container ses/7/prometheus-webhook-snmp:latest:libpython3_6m1_0-3.6.13-3.78.1 Container ses/7/prometheus-webhook-snmp:latest:python3-base-3.6.13-3.78.1 Container ses/7/rook/ceph:latest:libpython3_6m1_0-3.6.13-3.78.1 Container ses/7/rook/ceph:latest:python3-3.6.13-3.78.1 Container ses/7/rook/ceph:latest:python3-base-3.6.13-3.78.1 Container ses/7/rook/ceph:latest:python3-curses-3.6.13-3.78.1 Container suse/sles/15.2/virt-handler:0.38.1:libpython3_6m1_0-3.6.13-3.78.1 Container suse/sles/15.2/virt-handler:0.38.1:python3-base-3.6.13-3.78.1 Container suse/sles/15.2/virt-launcher:0.38.1:libpython3_6m1_0-3.6.13-3.78.1 Container suse/sles/15.2/virt-launcher:0.38.1:python3-base-3.6.13-3.78.1 SUSE Linux Enterprise Micro 5.0:libpython3_6m1_0-3.6.13-3.78.1 SUSE Linux Enterprise Micro 5.0:python3-3.6.13-3.78.1 SUSE Linux Enterprise Micro 5.0:python3-base-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libpython3_6m1_0-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-base-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-curses-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-dbm-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-devel-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-idle-3.6.13-3.78.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-tk-3.6.13-3.78.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:python3-tools-3.6.13-3.78.1 moderate 4 AV:N/AC:H/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210947-1/ https://www.suse.com/security/cve/CVE-2021-23336.html CVE-2021-23336 https://bugzilla.suse.com/1182179 SUSE Bug 1182179 https://bugzilla.suse.com/1182379 SUSE Bug 1182379 https://bugzilla.suse.com/1182433 SUSE Bug 1182433