Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1066
SUSE-SU-2020:0790-1 Security update for python-cffi,
python-cryptography, python-xattr
26 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-cffi, python-cryptography,python-xattr
Publisher: SUSE
Operating System: SUSE
Impact/Access: Cross-site Request Forgery -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-10903
Reference: ESB-2018.3561
ESB-2018.3330
ESB-2018.3277
ESB-2018.2129
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-20200790-1.html
Comment: This bulletin contains two (2) SUSE security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for python-cffi,python-cryptography,python-xattr
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:0790-1
Rating: moderate
References: #1055478 #1070737 #1101820 #1111657 #1138748 #1149792
#981848
Cross-References: CVE-2018-10903
Affected Products:
SUSE OpenStack Cloud 6-LTSS
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________
An update that solves one vulnerability and has 6 fixes is now available.
Description:
This update for python-cffi, python-cryptography and python-xattr fixes the
following issues:
Security issue fixed:
o CVE-2018-10903: Fixed GCM tag forgery via truncated tag in
finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
o fixed a build failure on i586 (bsc#1111657)
o Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
o Update pytest in spec to add c directory tests in addition to testing
directory.
Update to 1.11.1:
o Fix tests, remove deprecated C API usage
o Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions
(cpython issue #29943)
o Fix for 3.7.0a1+
Update to 1.11.0:
o Support the modern standard types char16_t and char32_t. These work like
wchar_t: they represent one unicode character, or when used as charN_t * or
charN_t[] they represent a unicode string. The difference with wchar_t is
that they have a known, fixed size. They should work at all places that
used to work with wchar_t (please report an issue if I missed something).
Note that with set_source(), you need to make sure that these types are
actually defined by the C source you provide (if used in cdef()).
o Support the C99 types float _Complex and double _Complex. Note that libffi
doesn't support them, which means that in the ABI mode you still cannot
call C functions that take complex numbers directly as arguments or return
type.
o Fixed a rare race condition when creating multiple FFI instances from
multiple threads. (Note that you aren't meant to create many FFI instances:
in inline mode, you should write ffi = cffi.FFI() at module level just
after import cffi; and in out-of-line mode you don't instantiate FFI
explicitly at all.)
o Windows: using callbacks can be messy because the CFFI internal error
messages show up to stderr-but stderr goes nowhere in many applications.
This makes it particularly hard to get started with the embedding mode.
(Once you get started, you can at least use @ffi.def_extern(onerror=...)
and send the error logs where it makes sense for your application, or
record them in log files, and so on.) So what is new in CFFI is that now,
on Windows CFFI will try to open a non-modal MessageBox (in addition to
sending raw messages to stderr). The MessageBox is only visible if the
process stays alive: typically, console applications that crash close
immediately, but that is also the situation where stderr should be visible
anyway.
o Progress on support for callbacks in NetBSD.
o Functions returning booleans would in some case still return 0 or 1 instead
of False or True. Fixed.
o ffi.gc() now takes an optional third parameter, which gives an estimate of
the size (in bytes) of the object. So far, this is only used by PyPy, to
make the next GC occur more quickly (issue #320). In the future, this might
have an effect on CPython too (provided the CPython issue 31105 is
addressed).
o Add a note to the documentation: the ABI mode gives function objects that
are slower to call than the API mode does. For some reason it is often
thought to be faster. It is not!
Update to 1.10.1:
o Fixed the line numbers reported in case of cdef() errors. Also, I just
noticed, but pycparser always supported the preprocessor directive # 42
"foo.h" to mean "from the next line, we're in file foo.h starting from line
42";, which it puts in the error messages.
Update to 1.10.0:
Issue #295: use calloc() directly instead of PyObject_Malloc()+memset() to
handle ffi.new() with a default allocator. Speeds up ffi.new(large-array) where
most of the time you never touch most of the array.
o Some OS/X build fixes ("only with Xcode but without CLT";).
o Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called
with libffi because an argument is a struct that is "too complicated"; (and
not a struct pointer, which always works).
o Add support for some unusual compilers (non-msvc, non-gcc, non-icc,
non-clang)
o Implemented the remaining cases for ffi.from_buffer. Now all buffer/
memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface,
but that gives the raw bytes behind the UTF16/UCS4 storage, which is most
of the times not what you expect. In Python 3 this has been fixed and the
unicode strings don't support the memoryview interface any more.)
o The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means "undefined behavior";
in C; if you really have to interface with a library relying on this, don't
use bool in the CFFI side. Also, it is still valid to use a byte string as
initializer for a bool[], but now it must only contain \x00 or \x01. As an
aside, ffi.string() no longer works on bool[] (but it never made much
sense, as this function stops at the first zero).
o ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
o ffi.addressof(lib, "name") now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global
variables.
o Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, compares equal to 42 and
compares equal to b'A'. Unlike C, does not compare equal to ffi.cast
("unsigned int", -1): it compares smaller, because -1
o PyPy: ffi.new() and ffi.new_allocator()() did not record "memory
pressure";, causing the GC to run too infrequently if you call ffi.new()
very often and/or with large arrays. Fixed in PyPy 5.7.
o Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
Update to 1.9.1:
o Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new("int[]", 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
o Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
o I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
o Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
o When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
o Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
o CPython 3.x: experimental: the generated C extension modules now use the
"limited API";, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
o Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
o Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
o PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
o ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
o bool(ffi.cast("primitive type", x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
o bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
o C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
o help(lib) and help(lib.myfunc) now give useful information, as well as dir
(p) where p is a struct or pointer-to-struct.
o Fixed the "negative left shift" warning by replacing bitshifting in
appropriate places by bitwise and comparison to self; patch taken from
upstream git. Drop cffi-1.5.2-wnoerror.patch: no longer required.
o disable "negative left shift" warning in test suite to prevent failures
with gcc6, until upstream fixes the undefined code in question (bsc#981848)
Update to version 1.6.0:
o ffi.list_types()
o ffi.unpack()
o extern "Python+C";
o in API mode, lib.foo.__doc__ contains the C signature now.
o Yet another attempt at robustness of ffi.def_extern() against CPython's
interpreter shutdown logic.
Update to 1.5.2:
o support for cffi-based embedding
o more robustness for shutdown logic
Updated python-cryptography to 2.1.4 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
o Make this version of the package compatible with OpenSSL 1.1.1d (bsc#
1149792)
o CVE-2018-10903: Fixed GCM tag forgery via truncated tag in
finalize_with_tag API (bsc#1101820)
Update to version 2.1.4:
o Added X509_up_ref for an upcoming pyOpenSSL release.
o Corrected a bug with the manylinux1 wheels where OpenSSL's stack was marked
executable.
o support for OpenSSL 1.0.0 has been removed.
o Added support for Diffie-Hellman key exchange
o The OS random engine for OpenSSL has been rewritten
python-xattr was just rebuilt to adjust its cffi depedency.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud 6-LTSS:
zypper in -t patch SUSE-OpenStack-Cloud-6-LTSS-2020-790=1
o SUSE Linux Enterprise Server for SAP 12-SP1:
zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-790=1
o SUSE Linux Enterprise Server 12-SP1-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-790=1
Package List:
o SUSE OpenStack Cloud 6-LTSS (x86_64):
python-cryptography-2.1.4-3.15.5
python-cryptography-debuginfo-2.1.4-3.15.5
python-cryptography-debugsource-2.1.4-3.15.5
o SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):
python-cffi-1.11.2-2.19.2
python-cffi-debuginfo-1.11.2-2.19.2
python-cffi-debugsource-1.11.2-2.19.2
python-cryptography-2.1.4-3.15.5
python-cryptography-debuginfo-2.1.4-3.15.5
python-cryptography-debugsource-2.1.4-3.15.5
python-xattr-0.7.5-3.2.1
python-xattr-debuginfo-0.7.5-3.2.1
python-xattr-debugsource-0.7.5-3.2.1
python3-cffi-1.11.2-2.19.2
python3-cryptography-2.1.4-3.15.5
o SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):
python-cffi-1.11.2-2.19.2
python-cffi-debuginfo-1.11.2-2.19.2
python-cffi-debugsource-1.11.2-2.19.2
python-cryptography-2.1.4-3.15.5
python-cryptography-debuginfo-2.1.4-3.15.5
python-cryptography-debugsource-2.1.4-3.15.5
python-xattr-0.7.5-3.2.1
python-xattr-debuginfo-0.7.5-3.2.1
python-xattr-debugsource-0.7.5-3.2.1
python3-cffi-1.11.2-2.19.2
python3-cryptography-2.1.4-3.15.5
References:
o https://www.suse.com/security/cve/CVE-2018-10903.html
o https://bugzilla.suse.com/1055478
o https://bugzilla.suse.com/1070737
o https://bugzilla.suse.com/1101820
o https://bugzilla.suse.com/1111657
o https://bugzilla.suse.com/1138748
o https://bugzilla.suse.com/1149792
o https://bugzilla.suse.com/981848
- -----------------------------------------------------------------------------
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:0792-1
Rating: moderate
References: #1055478 #1070737 #1101820 #1111657 #1138748 #1149792
#981848
Cross-References: CVE-2018-10903
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Enterprise Storage 5
SUSE CaaS Platform 3.0
HPE Helion Openstack 8
______________________________________________________________________________
An update that solves one vulnerability and has 6 fixes is now available.
Description:
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
o CVE-2018-10903: Fixed GCM tag forgery via truncated tag in
finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
o fixed a build failure on i586 (bsc#1111657)
o Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
o Update pytest in spec to add c directory tests in addition to testing
directory.
o update to version 1.11.2: * Fix Windows issue with managing the
thread-state on CPython 3.0 to 3.5
o Update pytest in spec to add c directory tests in addition to testing
directory.
o Omit test_init_once_multithread tests as they rely on multiple threads
finishing in a given time. Returns sporadic pass/fail within build.
o Update to 1.11.1: * Fix tests, remove deprecated C API usage * Fix (hack)
for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions (cpython issue
#29943) * Fix for 3.7.0a1+
o Update to 1.11.0: * Support the modern standard types char16_t and
char32_t. These work like wchar_t: they represent one unicode character, or
when used as charN_t * or charN_t[] they represent a unicode string. The
difference with wchar_t is that they have a known, fixed size. They should
work at all places that used to work with wchar_t (please report an issue
if I missed something). Note that with set_source(), you need to make sure
that these types are actually defined by the C source you provide (if used
in cdef()). * Support the C99 types float _Complex and double _Complex.
Note that libffi doesn't support them, which means that in the ABI mode you
still cannot call C functions that take complex numbers directly as
arguments or return type. * Fixed a rare race condition when creating
multiple FFI instances from multiple threads. (Note that you aren't meant
to create many FFI instances: in inline mode, you should write ffi =
cffi.FFI() at module level just after import cffi; and in out-of-line mode
you don't instantiate FFI explicitly at all.) * Windows: using callbacks
can be messy because the CFFI internal error messages show up to stderr-but
stderr goes nowhere in many applications. This makes it particularly hard
to get started with the embedding mode. (Once you get started, you can at
least use @ffi.def_extern(onerror=...) and send the error logs where it
makes sense for your application, or record them in log files, and so on.)
So what is new in CFFI is that now, on Windows CFFI will try to open a
non-modal MessageBox (in addition to sending raw messages to stderr). The
MessageBox is only visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the situation
where stderr should be visible anyway. * Progress on support for callbacks
in NetBSD. * Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed. * ffi.gc() now takes an optional
third parameter, which gives an estimate of the size (in bytes) of the
object. So far, this is only used by PyPy, to make the next GC occur more
quickly (issue #320). In the future, this might have an effect on CPython
too (provided the CPython issue 31105 is addressed). * Add a note to the
documentation: the ABI mode gives function objects that are slower to call
than the API mode does. For some reason it is often thought to be faster.
It is not!
o Update to 1.10.1: * Fixed the line numbers reported in case of cdef()
errors. Also, I just noticed, but pycparser always supported the
preprocessor directive # 42 "foo.h" to mean "from the next line, we're in
file foo.h starting from line 42";, which it puts in the error messages.
o update to 1.10.0: * Issue #295: use calloc() directly instead of
PyObject_Malloc()+memset() to handle ffi.new() with a default allocator.
Speeds up ffi.new(large-array) where most of the time you never touch most
of the array. * Some OS/X build fixes ("only with Xcode but without CLT";).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called
with libffi because an argument is a struct that is "too complicated"; (and
not a struct pointer, which always works). * Add support for some unusual
compilers (non-msvc, non-gcc, non-icc, non-clang) * Implemented the
remaining cases for ffi.from_buffer. Now all buffer/memoryview objects can
be passed. The one remaining check is against passing unicode strings in
Python 2. (They support the buffer interface, but that gives the raw bytes
behind the UTF16/UCS4 storage, which is most of the times not what you
expect. In Python 3 this has been fixed and the unicode strings don't
support the memoryview interface any more.) * The C type _Bool or bool now
converts to a Python boolean when reading, instead of the content of the
byte as an integer. The potential incompatibility here is what occurs if
the byte contains a value different from 0 and 1. Previously, it would just
return it; with this change, CFFI raises an exception in this case. But
this case means "undefined behavior"; in C; if you really have to interface
with a library relying on this, don't use bool in the CFFI side. Also, it
is still valid to use a byte string as initializer for a bool[], but now it
must only contain \x00 or \x01. As an aside, ffi.string() no longer works
on bool[] (but it never made much sense, as this function stops at the
first zero). * ffi.buffer is now the name of cffi's buffer type, and
ffi.buffer() works like before but is the constructor of that type. *
ffi.addressof(lib, "name") now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global
variables. * Issue #255: cdata objects of a primitive type (integers,
floats, char) are now compared and ordered by value. For example, compares
equal to 42 and compares equal to b'A'. Unlike C, does not compare equal to
ffi.cast("unsigned int", -1): it compares smaller, because -1
o do not generate HTML documentation for packages that are indirect
dependencies of Sphinx (see docs at https://cffi.readthedocs.org/ )
o update to 1.9.1 - Structs with variable-sized arrays as their last field:
now we track the length of the array after ffi.new() is called, just like
we always tracked the length of ffi.new("int[]", 42). This lets us detect
out-of-range accesses to array items. This also lets us display a better
repr(), and have the total size returned by ffi.sizeof() and ffi.buffer().
Previously both functions would return a result based on the size of the
declared structure type, with an assumed empty array. (Thanks andrew for
starting this refactoring.) - Add support in cdef()/set_source() for
unspecified-length arrays in typedefs: typedef int foo_t[...];. It was
already supported for global variables or structure fields. - I turned in
v1.8 a warning from cffi/model.py into an error: 'enum xxx' has no values
explicitly defined: refusing to guess which integer type it is meant to be
(unsigned/signed, int/long). Now I'm turning it back to a warning again; it
seems that guessing that the enum has size int is a 99%-safe bet. (But not
100%, so it stays as a warning.) - Fix leaks in the code handling FILE *
arguments. In CPython 3 there is a remaining issue that is hard to fix: if
you pass a Python file object to a FILE * argument, then os.dup() is used
and the new file descriptor is only closed when the GC reclaims the Python
file object-and not at the earlier time when you call close(), which only
closes the original file descriptor. If this is an issue, you should avoid
this automatic convertion of Python file objects: instead, explicitly
manipulate file descriptors and call fdopen() from C (...via cffi). - When
passing a void * argument to a function with a different pointer type, or
vice-versa, the cast occurs automatically, like in C. The same occurs for
initialization with ffi.new() and a few other places. However, I thought
that char * had the same property-but I was mistaken. In C you get the
usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version. -
Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC. - CPython 3.x: experimental: the generated C
extension modules now use the "limited API";, which means that, as a
compiled .so/.dll, it should work directly on any version of CPython >=
3.2. The name produced by distutils is still version-specific. To get the
version-independent name, you can rename it manually to NAME.abi3.so, or
use the very recent setuptools 26. - Added ffi.compile(debug=...), similar
to python setup.py build --debug but defaulting to True if we are running a
debugging version of Python itself. - Removed the restriction that
ffi.from_buffer() cannot be used on byte strings. Now you can get a char *
out of a byte string, which is valid as long as the string object is kept
alive. (But don't use it to modify the string object! If you need this, use
bytearray or other official techniques.) - PyPy 5.4 can now pass a byte
string directly to a char * argument (in older versions, a copy would be
made). This used to be a CPython-only optimization. - ffi.gc(p, None)
removes the destructor on an object previously created by another call to
ffi.gc() - bool(ffi.cast("primitive type", x)) now returns False if the
value is zero (including -0.0), and True otherwise. Previously this would
only return False for cdata objects of a pointer type when the pointer is
NULL. - bytearrays: ffi.from_buffer(bytearray-object) is now supported.
(The reason it was not supported was that it was hard to do in PyPy, but it
works since PyPy 5.3.) To call a C function with a char * argument from a
buffer object-now including bytearrays-you write lib.foo(ffi.from_buffer
(x)). Additionally, this is now supported: p[0:length] = bytearray-object.
The problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.) - C++: compiling the
generated C code with C++ was supposed to work, but failed if you make use
the bool type (because that is rendered as the C _Bool type, which doesn't
exist in C++). - help(lib) and help(lib.myfunc) now give useful
information, as well as dir(p) where p is a struct or pointer-to-struct.
o update for multipython build
o disable "negative left shift" warning in test suite to prevent failures
with gcc6, until upstream fixes the undefined code in question (bsc#981848)
o Update to version 1.6.0: * ffi.list_types() * ffi.unpack() * extern
"Python+C"; * in API mode, lib.foo.__doc__ contains the C signature now. *
Yet another attempt at robustness of ffi.def_extern() against CPython's
interpreter shutdown logic.
o Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
o Make this version of the package compatible with OpenSSL 1.1.1d, thus
fixing bsc#1149792.
o bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
o Add proper conditional for the python2, the ifpython works only for the
requires/etc
o add missing dependency on python ssl
o update to version 2.1.4: * Added X509_up_ref for an upcoming pyOpenSSL
release.
o update to version 2.1.3: * Updated Windows, macOS, and manylinux1 wheels to
be compiled with OpenSSL 1.1.0g.
o update to version 2.1.2: * Corrected a bug with the manylinux1 wheels where
OpenSSL's stack was marked executable.
o fix BuildRequires conditions for python3
o update to 2.1.1
o Fix cffi version requirement.
o Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
o update to 2.0.3
o update to 2.0.2
o update to 2.0
o update to 1.9
o add python-packaging to requirements explicitly instead of relying on
setuptools to pull it in
o Switch to singlespec approach
o update to 1.8.1
o Adust Requires and BuildRequires
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-792=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2020-792=1
o SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2020-792=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-792=1
o SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-792=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-792=1
o SUSE Linux Enterprise Server 12-SP4:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-792=1
o SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-792=1
o SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-792=1
o SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-792=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-792=1
o SUSE Enterprise Storage 5:
zypper in -t patch SUSE-Storage-5-2020-792=1
o SUSE CaaS Platform 3.0:
To install this update, use the SUSE CaaS Platform Velum dashboard. It will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2020-792=1
Package List:
o SUSE OpenStack Cloud Crowbar 8 (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE OpenStack Cloud 8 (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
o SUSE OpenStack Cloud 7 (s390x x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cffi-debuginfo-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
python3-cryptography-debuginfo-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cffi-debuginfo-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
python3-cryptography-debuginfo-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE Enterprise Storage 5 (aarch64 x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
o SUSE CaaS Platform 3.0 (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
o HPE Helion Openstack 8 (x86_64):
python-cffi-1.11.2-5.11.1
python-cffi-debuginfo-1.11.2-5.11.1
python-cffi-debugsource-1.11.2-5.11.1
python-cryptography-2.1.4-7.28.2
python-cryptography-debuginfo-2.1.4-7.28.2
python-cryptography-debugsource-2.1.4-7.28.2
python-xattr-0.7.5-6.3.2
python-xattr-debuginfo-0.7.5-6.3.2
python-xattr-debugsource-0.7.5-6.3.2
python3-cffi-1.11.2-5.11.1
python3-cryptography-2.1.4-7.28.2
References:
o https://www.suse.com/security/cve/CVE-2018-10903.html
o https://bugzilla.suse.com/1055478
o https://bugzilla.suse.com/1070737
o https://bugzilla.suse.com/1101820
o https://bugzilla.suse.com/1111657
o https://bugzilla.suse.com/1138748
o https://bugzilla.suse.com/1149792
o https://bugzilla.suse.com/981848
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnxEjGaOgq3Tt24GAQjKaA/9H47lrcYOQ92A5nJ6tEw8aBwuKCR/EC2r
35cv01+xnQ+c6zSDM1VOH2/12+wpU2E/WqrXIaNP72azTvYTXCGjmoA2OnmQv5Aw
u2/Ild+k3g0CLOd+pKFDGGs3S3RiHwllPPKw2cQ3Ft098dBf/DN1C4wqsG20Z/wZ
zhKS+i6KxWAfSWwnKyPhoha7sF2kzjcWrtYhwsD/Neb1f9SS7UDLzV0icMe4hmrr
wqvNmrA9udZgs/anL67b/qwr5qubD+q0bVuDmaf2bGCYUEaqryL7sMk/b8/+2KW7
EIBhF97VT/i4JMKHj+pzmqKRco8QkPGNGBVkarR7k3gIgTmK3rsZkrhBDgNl2EzC
8xTiAnffJo8/0AZcs5dhGG+BfnpqGvWzNaQjlBGQZmiAU0s0e9j3CcCBkt87ow5d
2EkeA5VMSiOfHcU1G5pVw+yrgRiq5zLJNmPnLXq8pKVR5NoEeWeA74nXrQJKSVg1
qoe1Morwka485Lq0gd5UWONW4Krxfyfmxa9etkk6pdFXuOT78fcp2tyVWbhLoQ0l
F5QdNVzRE0DRo3gPRZ217MCgzTVtK86MMk4gn8XANhmbXkSThzOljmAOpJG5A6If
Piz8omM8b9ewl6EUSzGrFskX22eFeinl8IBOSnoGi3XyRX2bVW8dpdxZIdinMZ67
nxY476k5Br4=
=rIlu
-----END PGP SIGNATURE-----