Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2859 Security update for python-PyYAML 25 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-PyYAML Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14343 CVE-2020-1747 Reference: ESB-2021.1580 ESB-2020.1813 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20212818-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for python-PyYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2818-1 Rating: important References: #1174514 Cross-References: CVE-2020-14343 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Module for Public Cloud 12 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-PyYAML fixes the following issues: o Update to 5.3.1. o CVE-2020-14343: A vulnerability was discovered in the PyYAML library, where it was susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2818=1 o SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2818=1 o SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2818=1 o SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2818=1 o SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-2818=1 o SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2818=1 o SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2818=1 o SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2818=1 o SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2818=1 o SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2818=1 o SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2818=1 o SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-2818=1 o HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2818=1 Package List: o SUSE OpenStack Cloud Crowbar 9 (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o SUSE OpenStack Cloud Crowbar 8 (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 o SUSE OpenStack Cloud 9 (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o SUSE OpenStack Cloud 8 (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 o SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 o SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 python3-PyYAML-debuginfo-5.3.1-28.6.1 o HPE Helion Openstack 8 (x86_64): python-PyYAML-5.3.1-28.6.1 python-PyYAML-debuginfo-5.3.1-28.6.1 python-PyYAML-debugsource-5.3.1-28.6.1 python3-PyYAML-5.3.1-28.6.1 References: o https://www.suse.com/security/cve/CVE-2020-14343.html o https://bugzilla.suse.com/1174514 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYSWX2+NLKJtyKPYoAQgYxQ//UoGA2NvXPdAmjEgW4dQtmQCIcz4aGnGd L0hURCQMSfHqQYfWe+U60814wNRft9EBCw4OVdJwvIOwjHTQ499iE3rdG1z77QnS R2QedEzoBGKh1pAfeHOZ8Ylqn5oP559MnHSCGP8MXnzugRzrZqzfUAzjdS8dRy3q qLR8aG3kZRIffo9CSjA8P/wDBO0cvhVgCB6SVjoCsmzoMsDo4RL1Y0mIl7E1jLXg LDAvvUYP308IRnoesmo0aycfKP2AUBElQ8OJ0RB4eB78MAvgCxgxRNJCRh/3JRSS eaUl69WhjtiAqqiFNghP9O1Rdfip2RB06rUCisxuCwHZQtZyYbbwltX5ddt7ZCR+ Sr6/yPMlFMWd0YsvoamLqmHbWxocHrXZZ8Wo6loEpelw0jK4TW70Yl3llaLY0PPX gHI1SBHAaj2+YqeU8hfZBMXcQg0gXLDY+X2VTdmIV+eY7dKRVU3z3M5q2g1CZbA8 oDX9TJqYZ5ma5Bnt99HdQ0in8d/WjJKuIuPtQNrsUtSEWabkIwwBqO/RxA+7yQa5 RKdGdwfZTzTFVz7or4Gt1lUyqwuBe9FrVwnF26m6a1ErAQ9LdPcJsgEdPgtkE3D7 ZodNAVBJ8J+7i7BOM0dQvmHSwKhin+pPAX23X0abgNTvq3VDWVAEFpmS9uiuzd0X of0IgzKkpgw= =Xwvg -----END PGP SIGNATURE-----