OPENSUSE-SU-2022:10183-1
Vulnerability from csaf_opensuse - Published: 2022-10-31 17:01 - Updated: 2022-10-31 17:01Summary
Security update for pyenv
Notes
Title of the patch
Security update for pyenv
Description of the patch
This update for pyenv fixes the following issues:
Update to 2.3.5
- Add CPython 3.10.7 by @edgarrmondragon in #2454
- Docs: update Fish PATH update by @gregorias in #2449
- Add CPython 3.7.14, 3.8.14 and 3.9.14 by @edgarrmondragon in #2456
- Update miniconda3-3.9-4.12.0 by @Tsuki in #2460
- Add CPython 3.11.0rc2 by @ViktorHaag in #2459
- Add patches for 3.7.14 to support Apple Silicon by @samdoran in #2463
- Add ability to easily skip all use of Homebrew by @samdoran in #2464
- Drop Travis integration by @sobolevn in #2468
- Build CPython 3.12+ with --with-dsymutil in MacOS by @native-api in #2471
- Add Pyston 2.3.5 by @scop in #2476
Full Changelog: https://github.com/pyenv/pyenv/compare/v2.3.4...v2.3.5
Update to 2.3.4
- Add CPython 3.11.0rc1 by @edgarrmondragon in #2434
- Add support for multiple versions in pyenv uninstall
by @hardikpnsp in #2432
- Add micropython 1.18 and 1.19.1 by @dmitriy-serdyuk in #2443
- CI: support Micropython, deleted scripts; build with -v
by @native-api in #2447
- Re-allow paths in .python-version while still preventing CVE-2022-35861
by @comrumino in #2442
- CI: Bump OS versions by @native-api in #2448
- Add Cinder 3.8 by @filips123 in #2433
- Add support for multiple versions in pyenv uninstall in #2432
- Add micropython 1.18 and 1.19.1 in #2443
- Add Cinder 3.8 in #2433
Update to 2.3.3
- Use version sort in pyenv versions by @fofoni in #2405
- Add CPython 3.11.0b4 by @majorgreys in #2411
- Python-build: Replace deprecated git protocol use with https in docs
by @ssbarnea in #2413
- Fix relative path traversal due to using version string in path
by @comrumino in #2412
- Allow pypy2 and pypy3 patching by @brogon in #2421, #2419
- Add CPython 3.11.0b5 by @edgarrmondragon in #2420
- Add GraalPython 22.2.0 by @msimacek in #2425
- Add CPython 3.10.6 by @edgarrmondragon in #2428
- Add CPython 3.11.0b4 by @majorgreys in #2411
- Replace deprecated git protocol use with https
by @ssbarnea in docs #2413
- Fix relative path traversal due to using version string in path
by @comrumino in #2412
- Fix patterns for pypy2.*/pypy3.* versions by @brogon in #2419
Update to 2.3.2
- Add CPython 3.11.0b2 by @saaketp in #2380
- Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007
- Add post-install checks for curses, ctypes, lzma, and tkinter
by @aphedges in #2353
- Add CPython 3.11.0b3 by @edgarrmondragon in #2382
- Add flags for Homebrew into python-config --ldflags by @native-api
in #2384
- Add CPython 3.10.5 by @illia-v in #2386
- Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in
add_miniconda.py by @native-api in #2385
- Add Pyston-2.3.4 by @dand-oss in #2390
- Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391
- Fix boo#1201582 to fix CVE-2022-35861 (from commit 22fa683, file pyenv-CVE-2022-35861.patch)
Update to 2.3.0
- Bump openssl 1.1 to 1.1.1n for CPython 3.7 3.8 3.9 by @tuzi3040 in #2276
- Doc Fix: Escape a hash character causing unwanted GitHub Issue linking by @edrogers in #2282
- Add CPython 3.9.12 by @saaketp in #2296
- Add CPython 3.10.4 by @saaketp in #2295
- Add patch for 3.6.15 to support Xcode 13.3 by @nshine in #2288
- Add patch for 3.7.12 to support Xcode 13.3 by @samdoran in #2292
- Add CONTRIBUTING.md by @native-api in #2287
- Add PyPy 7.3.9 release 2022-03-30 by @dand-oss in #2308
- Add Pyston 2.3.3 by @scop in #2316
- Add CPython 3.11.0a7 by @illia-v in #2315
- Add 'nogil' Python v3.9.10 by @colesbury in #2342
- Support XCode 13.3 in all releases that officially support MacOS 11 by @native-api in #2344
- Add GraalPython 22.1.0 by @msimacek in #2346
- Make PYENV_DEBUG imply -v for pyenv install by @native-api in #2347
- Simplify init scheme by @native-api in #2310
- Don't use Homebrew outside of MacOS by @native-api in #2349
- Add :latest syntax to documentation for the install command by @hay in #2351
Update to 2.2.5
- fix issue 2236 for CPython 3.6.15 and 3.7.12 by @fofoni in #2237
- python-build: add URL for get-pip for Python 3.6 by @fofoni in #2238
- Add pyston-2.3.2 by @dmrlawson in #2240
- CPython 3.11.0a5 by @saaketp in #2241
- CPython 3.11.0a6 by @saaketp in #2266
- Add miniconda 4.11.0 by @aphedges in #2268
- docs(pyenv-prefix): note support for multiple versions by @scop in #2270
- pypy 7.3.8 02/20/2022 release by @dand-oss in #2253
Patchnames
openSUSE-2022-10183
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for pyenv",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for pyenv fixes the following issues:\n\nUpdate to 2.3.5\n\n- Add CPython 3.10.7 by @edgarrmondragon in #2454\n- Docs: update Fish PATH update by @gregorias in #2449\n- Add CPython 3.7.14, 3.8.14 and 3.9.14 by @edgarrmondragon in #2456\n- Update miniconda3-3.9-4.12.0 by @Tsuki in #2460\n- Add CPython 3.11.0rc2 by @ViktorHaag in #2459\n- Add patches for 3.7.14 to support Apple Silicon by @samdoran in #2463\n- Add ability to easily skip all use of Homebrew by @samdoran in #2464\n- Drop Travis integration by @sobolevn in #2468\n- Build CPython 3.12+ with --with-dsymutil in MacOS by @native-api in #2471\n- Add Pyston 2.3.5 by @scop in #2476\n Full Changelog: https://github.com/pyenv/pyenv/compare/v2.3.4...v2.3.5\n\nUpdate to 2.3.4\n\n- Add CPython 3.11.0rc1 by @edgarrmondragon in #2434\n- Add support for multiple versions in pyenv uninstall\n by @hardikpnsp in #2432\n- Add micropython 1.18 and 1.19.1 by @dmitriy-serdyuk in #2443\n- CI: support Micropython, deleted scripts; build with -v\n by @native-api in #2447\n- Re-allow paths in .python-version while still preventing CVE-2022-35861\n by @comrumino in #2442\n- CI: Bump OS versions by @native-api in #2448\n- Add Cinder 3.8 by @filips123 in #2433\n- Add support for multiple versions in pyenv uninstall in #2432\n- Add micropython 1.18 and 1.19.1 in #2443\n- Add Cinder 3.8 in #2433\n\nUpdate to 2.3.3\n\n- Use version sort in pyenv versions by @fofoni in #2405\n- Add CPython 3.11.0b4 by @majorgreys in #2411\n- Python-build: Replace deprecated git protocol use with https in docs\n by @ssbarnea in #2413\n- Fix relative path traversal due to using version string in path\n by @comrumino in #2412\n- Allow pypy2 and pypy3 patching by @brogon in #2421, #2419\n- Add CPython 3.11.0b5 by @edgarrmondragon in #2420\n- Add GraalPython 22.2.0 by @msimacek in #2425\n- Add CPython 3.10.6 by @edgarrmondragon in #2428\n- Add CPython 3.11.0b4 by @majorgreys in #2411\n- Replace deprecated git protocol use with https\n by @ssbarnea in docs #2413\n- Fix relative path traversal due to using version string in path\n by @comrumino in #2412\n- Fix patterns for pypy2.*/pypy3.* versions by @brogon in #2419\n\nUpdate to 2.3.2\n\n- Add CPython 3.11.0b2 by @saaketp in #2380\n- Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007\n- Add post-install checks for curses, ctypes, lzma, and tkinter\n by @aphedges in #2353\n- Add CPython 3.11.0b3 by @edgarrmondragon in #2382\n- Add flags for Homebrew into python-config --ldflags by @native-api\n in #2384\n- Add CPython 3.10.5 by @illia-v in #2386\n- Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in\n add_miniconda.py by @native-api in #2385\n- Add Pyston-2.3.4 by @dand-oss in #2390\n- Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391\n- Fix boo#1201582 to fix CVE-2022-35861 (from commit 22fa683, file pyenv-CVE-2022-35861.patch)\n\nUpdate to 2.3.0\n\n- Bump openssl 1.1 to 1.1.1n for CPython 3.7 3.8 3.9 by @tuzi3040 in #2276\n- Doc Fix: Escape a hash character causing unwanted GitHub Issue linking by @edrogers in #2282\n- Add CPython 3.9.12 by @saaketp in #2296\n- Add CPython 3.10.4 by @saaketp in #2295\n- Add patch for 3.6.15 to support Xcode 13.3 by @nshine in #2288\n- Add patch for 3.7.12 to support Xcode 13.3 by @samdoran in #2292\n- Add CONTRIBUTING.md by @native-api in #2287\n- Add PyPy 7.3.9 release 2022-03-30 by @dand-oss in #2308\n- Add Pyston 2.3.3 by @scop in #2316\n- Add CPython 3.11.0a7 by @illia-v in #2315\n- Add \u0027nogil\u0027 Python v3.9.10 by @colesbury in #2342\n- Support XCode 13.3 in all releases that officially support MacOS 11 by @native-api in #2344\n- Add GraalPython 22.1.0 by @msimacek in #2346\n- Make PYENV_DEBUG imply -v for pyenv install by @native-api in #2347\n- Simplify init scheme by @native-api in #2310\n- Don\u0027t use Homebrew outside of MacOS by @native-api in #2349\n- Add :latest syntax to documentation for the install command by @hay in #2351\n\nUpdate to 2.2.5\n\n- fix issue 2236 for CPython 3.6.15 and 3.7.12 by @fofoni in #2237\n- python-build: add URL for get-pip for Python 3.6 by @fofoni in #2238\n- Add pyston-2.3.2 by @dmrlawson in #2240\n- CPython 3.11.0a5 by @saaketp in #2241\n- CPython 3.11.0a6 by @saaketp in #2266\n- Add miniconda 4.11.0 by @aphedges in #2268\n- docs(pyenv-prefix): note support for multiple versions by @scop in #2270\n- pypy 7.3.8 02/20/2022 release by @dand-oss in #2253\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2022-10183",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10183-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:10183-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDXGUII5AFV4IIRR3AESPKYMZT4THLRR/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:10183-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDXGUII5AFV4IIRR3AESPKYMZT4THLRR/"
},
{
"category": "self",
"summary": "SUSE Bug 1201582",
"url": "https://bugzilla.suse.com/1201582"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35861 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35861/"
}
],
"title": "Security update for pyenv",
"tracking": {
"current_release_date": "2022-10-31T17:01:33Z",
"generator": {
"date": "2022-10-31T17:01:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:10183-1",
"initial_release_date": "2022-10-31T17:01:33Z",
"revision_history": [
{
"date": "2022-10-31T17:01:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "pyenv-2.3.5-bp154.2.3.1.aarch64",
"product": {
"name": "pyenv-2.3.5-bp154.2.3.1.aarch64",
"product_id": "pyenv-2.3.5-bp154.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "pyenv-2.3.5-bp154.2.3.1.i586",
"product": {
"name": "pyenv-2.3.5-bp154.2.3.1.i586",
"product_id": "pyenv-2.3.5-bp154.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"product": {
"name": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"product_id": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"product": {
"name": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"product_id": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"product": {
"name": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"product_id": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "pyenv-2.3.5-bp154.2.3.1.ppc64le",
"product": {
"name": "pyenv-2.3.5-bp154.2.3.1.ppc64le",
"product_id": "pyenv-2.3.5-bp154.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "pyenv-2.3.5-bp154.2.3.1.s390x",
"product": {
"name": "pyenv-2.3.5-bp154.2.3.1.s390x",
"product_id": "pyenv-2.3.5-bp154.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "pyenv-2.3.5-bp154.2.3.1.x86_64",
"product": {
"name": "pyenv-2.3.5-bp154.2.3.1.x86_64",
"product_id": "pyenv-2.3.5-bp154.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.aarch64"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.i586 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.i586"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.ppc64le as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.ppc64le"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.s390x as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.s390x"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.x86_64"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.aarch64"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.i586 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.i586"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.ppc64le"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.s390x"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-2.3.5-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.x86_64"
},
"product_reference": "pyenv-2.3.5-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
},
"product_reference": "pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35861",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35861"
}
],
"notes": [
{
"category": "general",
"text": "pyenv 1.2.24 through 2.3.2 allows local users to gain privileges via a .python-version file in the current working directory. An attacker can craft a Python version string in .python-version to execute shims under their control. (Shims are executables that pass a command along to a specific version of pyenv. The version string is used to construct the path to the command, and there is no validation of whether the version specified is a valid version. Thus, relative path traversal can occur.)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.i586",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35861",
"url": "https://www.suse.com/security/cve/CVE-2022-35861"
},
{
"category": "external",
"summary": "SUSE Bug 1201582 for CVE-2022-35861",
"url": "https://bugzilla.suse.com/1201582"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.i586",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.i586",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.s390x",
"SUSE Package Hub 15 SP4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.i586",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.ppc64le",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.s390x",
"openSUSE Leap 15.4:pyenv-2.3.5-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:pyenv-bash-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-fish-completion-2.3.5-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:pyenv-zsh-completion-2.3.5-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-31T17:01:33Z",
"details": "important"
}
],
"title": "CVE-2022-35861"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…