SUSE-RU-2018:4074-1
Vulnerability from csaf_suse - Published: 2018-12-11 20:46 - Updated: 2018-12-11 20:46Summary
Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer
Notes
Title of the patch
Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer
Description of the patch
This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:
aws-cli:
- Update to version 1.16.61. (bsc#1088310)
+ For detailed changes see
https://github.com/aws/aws-cli/blob/1.16.1/CHANGELOG.rst
- Update to version 1.16.1 (bsc#1105988, bsc#1092493)
+ CVE-2018-15869: An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, might have unintentionally loaded an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
- Disable vendored versions of requests and six from botocore and use requests and six
from the RPM packages.
python-botocore:
- Update to version 1.10.40
+ For detailed changes, please refer to the changelog.
+ Remove the broken attempt to avoid using the bundeled
requests module provided by the source (bsc#1088310)
python-boto3:
- Version update to 1.9.57 (bsc#1118021, bsc#1118027)
+ For detailed changes, please refer to the changelog.
python-s3transfer:
- Update to version 0.1.13
- Make sure to really not use any bundles.
- enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption for streaming of S3 uploads and downloads.
Patchnames
SUSE-SLE-Module-Basesystem-15-2018-2898,SUSE-SLE-Module-Development-Tools-OBS-15-2018-2898,SUSE-SLE-Module-Packagehub-Subpackages-15-2018-2898,SUSE-SLE-Module-Public-Cloud-15-2018-2898
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:\n\naws-cli:\n\n\n- Update to version 1.16.61. (bsc#1088310)\n + For detailed changes see\n https://github.com/aws/aws-cli/blob/1.16.1/CHANGELOG.rst\n- Update to version 1.16.1 (bsc#1105988, bsc#1092493)\n + CVE-2018-15869: An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, might have unintentionally loaded an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.\n- Disable vendored versions of requests and six from botocore and use requests and six\n from the RPM packages.\n\npython-botocore:\n\n- Update to version 1.10.40\n + For detailed changes, please refer to the changelog.\n + Remove the broken attempt to avoid using the bundeled\n requests module provided by the source (bsc#1088310)\n\npython-boto3:\n\n- Version update to 1.9.57 (bsc#1118021, bsc#1118027)\n + For detailed changes, please refer to the changelog.\n\npython-s3transfer:\n\n- Update to version 0.1.13\n- Make sure to really not use any bundles.\n- enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption for streaming of S3 uploads and downloads.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Module-Basesystem-15-2018-2898,SUSE-SLE-Module-Development-Tools-OBS-15-2018-2898,SUSE-SLE-Module-Packagehub-Subpackages-15-2018-2898,SUSE-SLE-Module-Public-Cloud-15-2018-2898",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2018_4074-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-RU-2018:4074-1",
"url": "https://www.suse.com/support/update/announcement//suse-ru-20184074-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-RU-2018:4074-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2018-December/010271.html"
},
{
"category": "self",
"summary": "SUSE Bug 1088310",
"url": "https://bugzilla.suse.com/1088310"
},
{
"category": "self",
"summary": "SUSE Bug 1092493",
"url": "https://bugzilla.suse.com/1092493"
},
{
"category": "self",
"summary": "SUSE Bug 1098125",
"url": "https://bugzilla.suse.com/1098125"
},
{
"category": "self",
"summary": "SUSE Bug 1105988",
"url": "https://bugzilla.suse.com/1105988"
},
{
"category": "self",
"summary": "SUSE Bug 1118021",
"url": "https://bugzilla.suse.com/1118021"
},
{
"category": "self",
"summary": "SUSE Bug 1118027",
"url": "https://bugzilla.suse.com/1118027"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-15869 page",
"url": "https://www.suse.com/security/cve/CVE-2018-15869/"
}
],
"title": "Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer",
"tracking": {
"current_release_date": "2018-12-11T20:46:06Z",
"generator": {
"date": "2018-12-11T20:46:06Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-RU-2018:4074-1",
"initial_release_date": "2018-12-11T20:46:06Z",
"revision_history": [
{
"date": "2018-12-11T20:46:06Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python3-boto3-1.9.57-3.5.1.noarch",
"product": {
"name": "python3-boto3-1.9.57-3.5.1.noarch",
"product_id": "python3-boto3-1.9.57-3.5.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-botocore-1.12.57-3.5.1.noarch",
"product": {
"name": "python3-botocore-1.12.57-3.5.1.noarch",
"product_id": "python3-botocore-1.12.57-3.5.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-s3transfer-0.1.13-3.3.6.noarch",
"product": {
"name": "python3-s3transfer-0.1.13-3.3.6.noarch",
"product_id": "python3-s3transfer-0.1.13-3.3.6.noarch"
}
},
{
"category": "product_version",
"name": "python2-boto3-1.9.57-3.5.1.noarch",
"product": {
"name": "python2-boto3-1.9.57-3.5.1.noarch",
"product_id": "python2-boto3-1.9.57-3.5.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-botocore-1.12.57-3.5.1.noarch",
"product": {
"name": "python2-botocore-1.12.57-3.5.1.noarch",
"product_id": "python2-botocore-1.12.57-3.5.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-s3transfer-0.1.13-3.3.6.noarch",
"product": {
"name": "python2-s3transfer-0.1.13-3.3.6.noarch",
"product_id": "python2-s3transfer-0.1.13-3.3.6.noarch"
}
},
{
"category": "product_version",
"name": "aws-cli-1.16.61-4.7.1.noarch",
"product": {
"name": "aws-cli-1.16.61-4.7.1.noarch",
"product_id": "aws-cli-1.16.61-4.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Public Cloud 15",
"product": {
"name": "SUSE Linux Enterprise Module for Public Cloud 15",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-public-cloud:15"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-boto3-1.9.57-3.5.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15:python3-boto3-1.9.57-3.5.1.noarch"
},
"product_reference": "python3-boto3-1.9.57-3.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-botocore-1.12.57-3.5.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15:python3-botocore-1.12.57-3.5.1.noarch"
},
"product_reference": "python3-botocore-1.12.57-3.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-s3transfer-0.1.13-3.3.6.noarch as component of SUSE Linux Enterprise Module for Basesystem 15",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15:python3-s3transfer-0.1.13-3.3.6.noarch"
},
"product_reference": "python3-s3transfer-0.1.13-3.3.6.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-boto3-1.9.57-3.5.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15:python2-boto3-1.9.57-3.5.1.noarch"
},
"product_reference": "python2-boto3-1.9.57-3.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-botocore-1.12.57-3.5.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15:python2-botocore-1.12.57-3.5.1.noarch"
},
"product_reference": "python2-botocore-1.12.57-3.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-s3transfer-0.1.13-3.3.6.noarch as component of SUSE Linux Enterprise Module for Package Hub 15",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15:python2-s3transfer-0.1.13-3.3.6.noarch"
},
"product_reference": "python2-s3transfer-0.1.13-3.3.6.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aws-cli-1.16.61-4.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15",
"product_id": "SUSE Linux Enterprise Module for Public Cloud 15:aws-cli-1.16.61-4.7.1.noarch"
},
"product_reference": "aws-cli-1.16.61-4.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Public Cloud 15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-15869",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-15869"
}
],
"notes": [
{
"category": "general",
"text": "An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15:python3-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15:aws-cli-1.16.61-4.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-15869",
"url": "https://www.suse.com/security/cve/CVE-2018-15869"
},
{
"category": "external",
"summary": "SUSE Bug 1105988 for CVE-2018-15869",
"url": "https://bugzilla.suse.com/1105988"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15:python3-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15:aws-cli-1.16.61-4.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15:python3-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15:python3-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-boto3-1.9.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-botocore-1.12.57-3.5.1.noarch",
"SUSE Linux Enterprise Module for Package Hub 15:python2-s3transfer-0.1.13-3.3.6.noarch",
"SUSE Linux Enterprise Module for Public Cloud 15:aws-cli-1.16.61-4.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-12-11T20:46:06Z",
"details": "important"
}
],
"title": "CVE-2018-15869"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…