Security update for python-sqlparse SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2462-1 Final 1 1 2023-06-08T07:42:04Z current 2023-06-08T07:42:04Z 2023-06-08T07:42:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-sqlparse This update for python-sqlparse fixes the following issues: - CVE-2023-30608: Fixed a Regular Expression Denial of Service (ReDOS) vulnerability (bsc#1210617). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2462,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-2462,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2462 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232462-1/ Link for SUSE-SU-2023:2462-1 https://lists.suse.com/pipermail/sle-updates/2023-June/029777.html E-Mail link for SUSE-SU-2023:2462-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210617 SUSE Bug 1210617 https://www.suse.com/security/cve/CVE-2023-30608/ SUSE CVE CVE-2023-30608 page SUSE Linux Enterprise Module for Package Hub 15 SP4 SUSE Linux Enterprise Module for Package Hub 15 SP5 python2-sqlparse-0.2.4-150100.6.3.1 python3-sqlparse-0.2.4-150100.6.3.1 python2-sqlparse-0.2.4-150100.6.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 python2-sqlparse-0.2.4-150100.6.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-30608 SUSE Linux Enterprise Module for Package Hub 15 SP4:python2-sqlparse-0.2.4-150100.6.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:python2-sqlparse-0.2.4-150100.6.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232462-1/ https://www.suse.com/security/cve/CVE-2023-30608.html CVE-2023-30608 https://bugzilla.suse.com/1210617 SUSE Bug 1210617 https://bugzilla.suse.com/1227303 SUSE Bug 1227303