[SUSE-SU-2023:2783-2] Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets

Severity Important

CVEs 7

Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets

This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets fixes the following issues:

grpc:
- Update in SLE-15 (bsc#1197726, bsc#1144068)

protobuf:
- Fix a potential DoS issue in protobuf-cpp and protobuf-python, CVE-2022-1941, bsc#1203681
- Fix a potential DoS issue when parsing with binary data in protobuf-java, CVE-2022-3171, bsc#1204256
- Fix potential Denial of Service in protobuf-java in the parsing procedure for binary data, CVE-2021-22569, bsc#1194530
- Add missing dependency of python subpackages on python-six (bsc#1177127)
- Updated to version 3.9.2 (bsc#1162343)
* Remove OSReadLittle* due to alignment requirements.
* Don't use unions and instead use memcpy for the type swaps.
- Disable LTO (bsc#1133277)

python-aiocontextvars:

- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-avro:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-cryptography:

- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331)
* SECURITY ISSUE: Fixed a bug where certain sequences of update()
calls when symmetrically encrypting very large payloads (>2GB) could
result in an integer overflow, leading to buffer overflows.
CVE-2020-36242

python-cryptography-vectors:
- update to 3.2 (bsc#1178168, CVE-2020-25659):
* CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
to protect against Bleichenbacher vulnerabilities. Due to limitations imposed
by our API, we cannot completely mitigate this vulnerability.
* Support for OpenSSL 1.0.2 has been removed.
* Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.
- update to 3.3.2 (bsc#1198331)

python-Deprecated:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 1.2.13:

python-google-api-core:
- Update to 1.14.2

python-googleapis-common-protos:
- Update to 1.6.0

python-grpcio-gcp:
- Initial spec for v0.2.2

python-humanfriendly:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to 10.0

python-jsondiff:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.0

python-knack:

- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 0.9.0

python-opencensus:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Disable Python2 build
- Update to 0.8.0

python-opencensus-context:

- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-opencensus-ext-threading:

- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial build version 0.1.2

python-opentelemetry-api:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Version update to 1.5.0

python-psutil:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 5.9.1
- remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS. (bsc#1184753)
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-PyGithub:
- Update to 1.43.5:

python-pytest-asyncio:

- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Initial release of python-pytest-asyncio 0.8.0

python-requests:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

python-websocket-client:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update to version 1.3.2

python-websockets:
- Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- update to 9.1:

ID

SUSE-SU-2023:2783-2

Severity

important

URL

https://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/

Published

2023-09-19T21:52:38
(12 months ago)

Modified

2023-09-19T21:52:38
(12 months ago)

Rights

Other Advisories

Source	Name	URL
Suse	SUSE ratings	https://www.suse.com/support/security/rating/
Suse	URL of this CSAF notice	https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_2783-2.json
Suse	URL for SUSE-SU-2023:2783-2	https://www.suse.com/support/update/announcement/2023/suse-su-20232783-2/
Suse	E-Mail link for SUSE-SU-2023:2783-2	https://lists.suse.com/pipermail/sle-security-updates/2023-September/016228.html
Bugzilla	SUSE Bug 1099269	https://bugzilla.suse.com/1099269
Bugzilla	SUSE Bug 1133277	https://bugzilla.suse.com/1133277
Bugzilla	SUSE Bug 1144068	https://bugzilla.suse.com/1144068
Bugzilla	SUSE Bug 1162343	https://bugzilla.suse.com/1162343
Bugzilla	SUSE Bug 1177127	https://bugzilla.suse.com/1177127
Bugzilla	SUSE Bug 1178168	https://bugzilla.suse.com/1178168
Bugzilla	SUSE Bug 1182066	https://bugzilla.suse.com/1182066
Bugzilla	SUSE Bug 1184753	https://bugzilla.suse.com/1184753
Bugzilla	SUSE Bug 1194530	https://bugzilla.suse.com/1194530
Bugzilla	SUSE Bug 1197726	https://bugzilla.suse.com/1197726
Bugzilla	SUSE Bug 1198331	https://bugzilla.suse.com/1198331
Bugzilla	SUSE Bug 1199282	https://bugzilla.suse.com/1199282
Bugzilla	SUSE Bug 1203681	https://bugzilla.suse.com/1203681
Bugzilla	SUSE Bug 1204256	https://bugzilla.suse.com/1204256
CVE	SUSE CVE CVE-2018-1000518 page	https://www.suse.com/security/cve/CVE-2018-1000518/
CVE	SUSE CVE CVE-2020-25659 page	https://www.suse.com/security/cve/CVE-2020-25659/
CVE	SUSE CVE CVE-2020-36242 page	https://www.suse.com/security/cve/CVE-2020-36242/
CVE	SUSE CVE CVE-2021-22569 page	https://www.suse.com/security/cve/CVE-2021-22569/
CVE	SUSE CVE CVE-2021-22570 page	https://www.suse.com/security/cve/CVE-2021-22570/
CVE	SUSE CVE CVE-2022-1941 page	https://www.suse.com/security/cve/CVE-2022-1941/
CVE	SUSE CVE CVE-2022-3171 page	https://www.suse.com/security/cve/CVE-2022-3171/

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date