Bugzilla – Bug 1204364
VUL-0: CVE-2022-42969: python-py: ReDoS via a Subversion repository with crafted info data
Last modified: 2024-06-13 15:44:39 UTC
CVE-2022-42969 The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42969 https://www.cve.org/CVERecord?id=CVE-2022-42969 https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316 https://github.com/pytest-dev/py/issues/287 http://www.cvedetails.com/cve/CVE-2022-42969/ https://pypi.org/project/py
Still no plan to fix this upstream: Regarding the CVSS, we would need to fix: - SUSE:SLE-12-SP1:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-15-SP1:Update
Any news @Ciaran and @Steven? :)
SUSE-SU-2023:0161-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1204364 CVE References: CVE-2022-42969 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): python-py-1.10.0-150100.5.12.1 openSUSE Leap Micro 5.2 (src): python-py-1.10.0-150100.5.12.1 openSUSE Leap 15.4 (src): python-py-1.10.0-150100.5.12.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): python-py-1.10.0-150100.5.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): python-py-1.10.0-150100.5.12.1 SUSE Linux Enterprise Micro 5.3 (src): python-py-1.10.0-150100.5.12.1 SUSE Linux Enterprise Micro 5.2 (src): python-py-1.10.0-150100.5.12.1 SUSE Linux Enterprise Micro 5.1 (src): python-py-1.10.0-150100.5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0395-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1204364 CVE References: CVE-2022-42969 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): python-py-1.8.1-11.15.2 SUSE Linux Enterprise Server 12-SP5 (src): python-py-1.8.1-11.15.2 SUSE Linux Enterprise Module for Public Cloud 12 (src): python-py-1.8.1-11.15.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0681-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1204364, 1208181 CVE References: CVE-2022-42969 Sources used: Public Cloud Module 12 (src): python-py-1.8.1-11.18.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python-py-1.8.1-11.18.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-py-1.8.1-11.18.1 SUSE Linux Enterprise Server 12 SP5 (src): python-py-1.8.1-11.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-py-1.8.1-11.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1204364) was mentioned in https://build.opensuse.org/request/show/1109354 Factory / python-py
done