Bugzilla – Bug 1214691
VUL-0: CVE-2022-48566: python-base,python36,python3,python: Use CRYPTO_memcmp() for compare_digest
Last modified: 2024-05-29 20:30:02 UTC
CVE-2022-48566 An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48566 https://www.cve.org/CVERecord?id=CVE-2022-48566 https://bugs.python.org/issue40791
Affected: - SUSE:SLE-11-SP1:Update/python 2.6.9 - SUSE:SLE-11-SP1:Update/python-base 2.6.9 - SUSE:SLE-12-SP1:Update/python 2.7.18 - SUSE:SLE-12-SP1:Update/python-base 2.7.18 - SUSE:SLE-12-SP4:Update/python 2.7.18 - SUSE:SLE-12-SP4:Update/python-base 2.7.18 - SUSE:SLE-15:Update/python 2.7.18 - SUSE:SLE-15:Update/python-base 2.7.18 - openSUSE:Factory/python 2.7.18 - SUSE:SLE-12:Update/python3 3.4.10 - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36 3.6.15 - SUSE:SLE-12-SP5:Update/python36 3.6.15 Not affected: - SUSE:SLE-15-SP3:Update/python39 3.9.17 - openSUSE:Factory/python39 3.9.17 - SUSE:ALP:Source:Standard:1.0/python310 3.10.10 - SUSE:SLE-15-SP4:Update/python310 3.10.12 - openSUSE:Factory/python310 3.10.12 - SUSE:ALP:Source:Standard:1.0/python311 3.11.2 - SUSE:SLE-15-SP4:Update/python311 3.11.4 - openSUSE:Factory/python311 3.11.4
> - SUSE:SLE-11-SP1:Update/python 2.6.9 > - SUSE:SLE-11-SP1:Update/python-base 2.6.9 Shouldn’t these be truly wholly completely dead? https://smelt.suse.de/maintained/?q=python
Isn’t this problem also for - SUSE:SLE-15:Update/python3 3.6.15 ???
And also - SUSE:SLE-15-SP3:Update/python3 3.6.15
yes, matej is right, these are affected but dont need a fix: - SUSE:SLE-11-SP1:Update/python 2.6.9 - SUSE:SLE-11-SP1:Update/python-base 2.6.9 these are also affected: - SUSE:SLE-15:Update/python3 3.6.15 - SUSE:SLE-15-SP3:Update/python3 3.6.15 sorry for the mess, there was some issue with my tooling, internally we have this tracked already like this
these are also affected: - SUSE:SLE-15:Update/python3 3.6.15 - SUSE:SLE-15-SP3:Update/python3 3.6.15 No, they are not. The fix in https://github.com/python/cpython/commit/8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a actually is on 3.6.15 branch. I may modify *.changes to include specific mention of it, but I don't think I will do changelog-only changes to our package.
Actually, I have still Python 2.* and 3.4 to fix.
This is an autogenerated message for OBS integration: This bug (1214691) was mentioned in https://build.opensuse.org/request/show/1111680 Factory / python
https://github.com/python/cpython/commit/db5aed931f8a617f7b63e773f62db468fe9c5ca1 is not in 3.6.15, but yeah the other commit should be sufficient. updated tracking to not affected for 3.6.15
Remaining SRs submitted.
SUSE-SU-2023:4001-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1214685, 1214691 CVE References: CVE-2022-48565, CVE-2022-48566 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1 SUSE Linux Enterprise Server 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-base-2.7.18-33.26.1, python-doc-2.7.18-33.26.1, python-2.7.18-33.26.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-base-2.7.18-33.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4220-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1210638, 1214685, 1214691 CVE References: CVE-2022-48565, CVE-2022-48566, CVE-2023-27043 Sources used: openSUSE Leap 15.4 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1 openSUSE Leap 15.5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1, python-doc-2.7.18-150000.57.1 SUSE Package Hub 15 15-SP4 (src): python-base-2.7.18-150000.57.1 SUSE Package Hub 15 15-SP5 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1 SUSE Manager Proxy 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1 SUSE Manager Retail Branch Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1 SUSE Manager Server 4.2 (src): python-base-2.7.18-150000.57.1, python-2.7.18-150000.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
on sle11 python there is no compare_digest, so callers need to do this on their own. So this specific CVE does not affect python 2.6 for SLE11.
SUSE-SU-2024:0464-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1210638, 1214691 CVE References: CVE-2022-48566, CVE-2023-27043 Sources used: SUSE Linux Enterprise Micro 5.1 (src): python3-core-3.6.15-150000.3.138.1, python3-3.6.15-150000.3.138.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0901-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1214691, 1219666 CVE References: CVE-2022-48566, CVE-2023-6597 Sources used: openSUSE Leap Micro 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 openSUSE Leap 15.5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1, python3-documentation-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro 5.4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro 5.5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 Basesystem Module 15-SP5 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Manager Proxy 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Manager Retail Branch Server 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Manager Server 4.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Enterprise Storage 7.1 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 openSUSE Leap 15.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1, python3-documentation-3.6.15-150300.10.57.1 openSUSE Leap Micro 5.3 (src): python3-3.6.15-150300.10.57.1, python3-core-3.6.15-150300.10.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed. Category: security (important) Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109 CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-55.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.