SUSE update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3



Published: 2021-08-23
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-26137
CWE-ID CWE-93
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SUSE Linux Enterprise Module for Public Cloud
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Python2
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE CaaS Platform
Operating systems & Components / Operating system

SUSE MicroOS
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Basesystem
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Packagehub Subpackages
Operating systems & Components / Operating system package or component

python3-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python3-cffi-debuginfo
Operating systems & Components / Operating system package or component

python2-botocore
Operating systems & Components / Operating system package or component

python2-boto3
Operating systems & Components / Operating system package or component

python3-trustme
Operating systems & Components / Operating system package or component

python3-service_identity
Operating systems & Components / Operating system package or component

aws-cli
Operating systems & Components / Operating system package or component

python2-pyOpenSSL
Operating systems & Components / Operating system package or component

python2-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python2-cryptography
Operating systems & Components / Operating system package or component

python2-cffi-debuginfo
Operating systems & Components / Operating system package or component

python2-cffi
Operating systems & Components / Operating system package or component

python-cryptography-debugsource
Operating systems & Components / Operating system package or component

python-cryptography-debuginfo
Operating systems & Components / Operating system package or component

python-cffi-debugsource
Operating systems & Components / Operating system package or component

python-cffi-debuginfo
Operating systems & Components / Operating system package or component

python3-botocore
Operating systems & Components / Operating system package or component

python3-boto3
Operating systems & Components / Operating system package or component

python2-urllib3
Operating systems & Components / Operating system package or component

python2-pycparser
Operating systems & Components / Operating system package or component

python2-pyasn1
Operating systems & Components / Operating system package or component

python2-asn1crypto
Operating systems & Components / Operating system package or component

python3-urllib3
Operating systems & Components / Operating system package or component

python3-pycparser
Operating systems & Components / Operating system package or component

python3-pyasn1
Operating systems & Components / Operating system package or component

python3-pyOpenSSL
Operating systems & Components / Operating system package or component

python3-asn1crypto
Operating systems & Components / Operating system package or component

python3-cryptography
Operating systems & Components / Operating system package or component

python3-cffi
Operating systems & Components / Operating system package or component

Vendor SuSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) CRLF injection

EUVDB-ID: #VU47403

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-26137

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation

Update the affected package aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Public Cloud: 15-SP1 - 15-SP3

SUSE Linux Enterprise Module for Python2: 15-SP2 - 15-SP3

SUSE Manager Proxy: 4.0

SUSE Manager Retail Branch Server: 4.0

SUSE Manager Server: 4.0

SUSE Linux Enterprise Server for SAP: 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE MicroOS: 5.0

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP2 - 15-SP3

SUSE Linux Enterprise Server: 15-SP1-BCL - 15-SP1-LTSS

SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3

python3-cryptography-debuginfo: before 2.8-10.1

python3-cffi-debuginfo: before 1.13.2-3.2.5

python2-botocore: before 1.20.9-33.1

python2-boto3: before 1.17.9-19.1

python3-trustme: before 0.6.0-3.3.1

python3-service_identity: before 18.1.0-3.3.1

aws-cli: before 1.19.9-26.1

python2-pyOpenSSL: before 17.5.0-8.3.1

python2-cryptography-debuginfo: before 2.8-10.1

python2-cryptography: before 2.8-10.1

python2-cffi-debuginfo: before 1.13.2-3.2.5

python2-cffi: before 1.13.2-3.2.5

python-cryptography-debugsource: before 2.8-10.1

python-cryptography-debuginfo: before 2.8-10.1

python-cffi-debugsource: before 1.13.2-3.2.5

python-cffi-debuginfo: before 1.13.2-3.2.5

python3-botocore: before 1.20.9-33.1

python3-boto3: before 1.17.9-19.1

python2-urllib3: before 1.25.10-9.14.1

python2-pycparser: before 2.17-3.2.1

python2-pyasn1: before 0.4.2-3.2.1

python2-asn1crypto: before 0.24.0-3.2.1

python3-urllib3: before 1.25.10-9.14.1

python3-pycparser: before 2.17-3.2.1

python3-pyasn1: before 0.4.2-3.2.1

python3-pyOpenSSL: before 17.5.0-8.3.1

python3-asn1crypto: before 0.24.0-3.2.1

python3-cryptography: before 2.8-10.1

python3-cffi: before 1.13.2-3.2.5


CPE2.3 External links

http://www.suse.com/support/update/announcement/2021/suse-su-20212817-1/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###