SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:2297-1 Container Tags : bci/python:3 , bci/python:3.10 , bci/python:3.10-5.31 , bci/python:latest Container Release : 5.31 Severity : important Type : security References : 1047178 1189802 1195773 1201041 1201680 1201783 CVE-2017-6512 CVE-2021-36690 CVE-2021-46828 CVE-2022-35737 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3271-1 Released: Wed Sep 14 06:45:39 2022 Summary: Security update for perl Type: security Severity: moderate References: 1047178,CVE-2017-6512 This update for perl fixes the following issues: - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2022:3302-1 Released: Mon Sep 19 08:51:02 2022 Summary: Feature update for python310-pip Type: feature Severity: moderate References: 1201041 This feature update for python310-pip and python-rpm-macros provides: python310-pip: Upgrade from version 20.2.4 to version 22.0.4 (jsc#SLE-24539) - Adjust SPEC file to generate python310 module only - Avoid cycle: BuildRequire ca-certificates only in tests - This version is not compatible with Python 3.6 and thus not suitable for SUSE Linux Enterprise 15. - Drop the doctype check, that presented a warning for index pages that use non-compliant HTML 5. - Print the exception via rich.traceback, when running with `--debug`. - Only calculate topological installation order, for packages that are going to be installed/upgraded. * This error occurred when determining the installation order for a very specific combination of upgrading of already installed packages, change of dependencies and fetching some packages from a package index. This combination was especially common in Read the Docs' builds. - Use html.parser by default, instead of falling back to html5lib when --use-deprecated=html5lib is not passed. - Clarify that using per-requirement overrides disables the usage of wheels. - Instead of failing on index pages that use non-compliant HTML 5, print a deprecation warning and fall back to html5lib-based parsing for now. This simplifies the migration for non-compliant index pages, by letting such indexes function with a warning. - Accept lowercase on index pages. - Properly handle links parsed by html5lib, when using --use-deprecated=html5lib. - Changed PackageFinder to parse HTML documents using the stdlib :class:`html.parser.HTMLParser` class instead of the html5lib package. - For now, the deprecated html5lib code remains and can be used with the --use-deprecated=html5lib command line option. However, it will be removed in a future pip release. - Completely replace :pypi:`tox` in our development workflow, with :pypi:`nox`. - Deprecate alternative progress bar styles, leaving only on and off as available choices. - Drop support for Python 3.6. - Disable location mismatch warnings on Python versions prior to 3.10. * These warnings were helping identify potential issues as part of the sysconfig -> distutils transition, and we no longer need to rely on reports from older Python versions for information on the transition. - Utilize rich for presenting pip's default download progress bar. - Present a better error message when an invalid wheel file is encountered, providing more context where the invalid wheel file is. - Documents the --require-virtualenv flag for pip install. - pip install autocompletes paths. - Allow Python distributors to opt-out from or opt-in to the sysconfig installation scheme backend by setting sysconfig._PIP_USE_SYSCONFIG to True or False. - Make it possible to deselect tests requiring cryptography package on systems where it cannot be installed. - Start using Rich for presenting error messages in a consistent format. - Improve presentation of errors from subprocesses. - Forward pip's verbosity configuration to VCS tools to control their output accordingly. - Optimize installation order calculation to improve performance when installing requirements that form a complex dependency graph with a large amount of edges. - When a package is requested by the user for upgrade, correctly identify that the extra-ed variant of that same package depended by another user-requested package is requesting the same package, and upgrade it accordingly. - Prevent pip from installing yanked releases unless explicitly pinned via the `==` or `===` operators. - Stop backtracking on build failures, by instead surfacing them to the user and aborting immediately. This behaviour provides more immediate feedback when a package cannot be built due to missing build dependencies or platform incompatibility. - Silence Value for does not match warning caused by an erroneous patch in Slackware-distributed Python 3.9. - Fix an issue where pip did not consider dependencies with and without extras to be equal - Always refuse installing or building projects that have no ``pyproject.toml`` nor ``setup.py``. - Tweak running-as-root detection, to check ``os.getuid`` if it exists, on Unix-y and non-Linux/non-MacOS machines. - When installing projects with a ``pyproject.toml`` in editable mode, and the build backend does not support :pep:`660`, prepare metadata using ``prepare_metadata_for_build_wheel`` instead of ``setup.py egg_info``. Also, refuse installing projects that only have a ``setup.cfg`` and no ``setup.py`` nor ``pyproject.toml``. These restore the pre-21.3 behaviour. - Restore compatibility of where configuration files are loaded from on MacOS - Upgrade pep517 to 0.12.0 - Improve deprecation warning regarding the copying of source trees when installing from a local directory. - Suppress location mismatch warnings when pip is invoked from a Python source tree, so ``ensurepip`` does not emit warnings on CPython ``make install``. - On Python 3.10 or later, the installation scheme backend has been changed to use ``sysconfig``. This is to anticipate the deprecation of ``distutils`` in Python 3.10, and its scheduled removal in 3.12. For compatibility considerations, pip installations running on Python 3.9 or lower will continue to use ``distutils``. - Remove the ``--build-dir`` option and aliases, one last time. - In-tree builds are now the default. ``--use-feature=in-tree-build`` is now ignored. ``--use-deprecated=out-of-tree-build`` may be used temporarily to ease the transition. - Un-deprecate source distribution re-installation behaviour. - Replace vendored appdirs with platformdirs. - Support `PEP 610 `_ to detect editable installs in ``pip freeze`` and ``pip list``. The ``pip list`` column output has a new ``Editable project location`` column, and the JSON output has a new ``editable_project_location`` field. - ``pip freeze`` will now always fallback to reporting the editable project location when it encounters a VCS error while analyzing an editable requirement. Before, it sometimes reported the requirement as non-editable. - ``pip show`` now sorts ``Requires`` and ``Required-By`` alphabetically. - Do not raise error when there are no files to remove with ``pip cache purge/remove``. Instead log a warning and continue (to log that we removed 0 files). - When backtracking during dependency resolution, prefer the dependencies which are involved in the most recent conflict. This can significantly reduce the amount of backtracking required. - Cache requirement objects, to improve performance reducing reparses of requirement strings. - Support editable installs for projects that have a ``pyproject.toml`` and use a build backend that supports :pep:`660`. - When a revision is specified in a Git URL, use git's partial clone feature to speed up source retrieval. - Add a ``--debug`` flag, to enable a mode that doesn't log errors and propagates them to the top level instead. This is primarily to aid with debugging pip's crashes. - If a host is explicitly specified as trusted by the user (via the --trusted-host option), cache HTTP responses from it in addition to HTTPS ones. - Present a better error message, when a ``file:`` URL is not found. - Fix the auth credential cache to allow for the case in which the index url contains the username, but the password comes from an external source, such as keyring. - Fix double unescape of HTML ``data-requires-python`` and ``data-yanked`` attributes. - New resolver: Fixes depth ordering of packages during resolution, e.g. a dependency 2 levels deep will be ordered before a dependency 3 levels deep. python-rpm-macros: Update from version 20220106.80d3756 to version 20220809.cf8a7b8 (bsc#1201041) - Pass `--ignore-installed` to `pip install` in %pyproject_install - restore end-of-line in alternative scriptlets - make python_flavored_alternatives less verbose - Move install of libalts from sciptlets to python_clone -a - hard-code %py_ver - print proper error on missing python interpreter - Update compile-macros.sh - Create python_flavored_alternatives and use for testing - Switch primary_interpreter from python38 to python310 - Avoid bashism in %() - Fix flavor executable substitution - Keep python38 as primary python3 - Add python310 to the buildset - Move python39 to the primary place in %pythons - Disable python36 flavor in Factory buildset - Add python310 flavor macros to compile set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). The following package changes have been done: - libtirpc-netconfig-1.2.6-150300.3.14.1 updated - perl-base-5.26.1-150300.17.11.1 updated - libsqlite3-0-3.39.3-150000.3.17.1 updated - libtirpc3-1.2.6-150300.3.14.1 updated - python310-pip-22.0.4-150400.3.3.1 updated - container:sles15-image-15.0.0-27.11.25 updated