Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-arcomplete, python-Fabric, python-PyGithub, python-antlr4-python3-runtime, python-avro, python-chardet, python-distro, python-docker, python-fakeredis, python-fixedint, python-httplib2, python-httpretty, python-javaproperties, python-jsondiff, python-knack, python-marshmallow, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-opentelemetry-sdk, python-opentelemetry-semantic-conventions, python-opentelemetry-test-utils, python-pycomposefile, python-pydash, python-redis, python-retrying, python-semver, python-sshtunnel, python-strictyaml, python-sure, python-vcrpy, python-xmltodict (SUSE-SU-2024:1639-1)

medium Nessus Plugin ID 197047

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1639-1 advisory.

 - redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general. (CVE-2023-28858)

 - redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general. (CVE-2023-28859)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/761162

https://bugzilla.suse.com/1209571

https://bugzilla.suse.com/1209811

https://bugzilla.suse.com/1209812

https://bugzilla.suse.com/1216606

https://bugzilla.suse.com/1222880

https://lists.suse.com/pipermail/sle-updates/2024-May/035268.html

https://www.suse.com/security/cve/CVE-2023-28858

https://www.suse.com/security/cve/CVE-2023-28859

Plugin Details

Severity: Medium

ID: 197047

File Name: suse_SU-2024-1639-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 5/15/2024

Updated: 5/15/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-28859

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:python311-constantly, p-cpe:/a:novell:suse_linux:python311-asgiref, p-cpe:/a:novell:suse_linux:python311-decorator, p-cpe:/a:novell:suse_linux:python311-multidict, p-cpe:/a:novell:suse_linux:python311-redis, p-cpe:/a:novell:suse_linux:python311-twisted-contextvars, p-cpe:/a:novell:suse_linux:python311-opencensus-context, p-cpe:/a:novell:suse_linux:python311-aiohttp, p-cpe:/a:novell:suse_linux:python311-portalocker, p-cpe:/a:novell:suse_linux:python311-lexicon, p-cpe:/a:novell:suse_linux:python311-zipp, p-cpe:/a:novell:suse_linux:python311-opencensus-ext-threading, p-cpe:/a:novell:suse_linux:python311-opentelemetry-semantic-conventions, p-cpe:/a:novell:suse_linux:python311-docker, p-cpe:/a:novell:suse_linux:python311-pyparsing, p-cpe:/a:novell:suse_linux:python311-jsondiff, p-cpe:/a:novell:suse_linux:python311-pyjwt, p-cpe:/a:novell:suse_linux:python311-invoke, p-cpe:/a:novell:suse_linux:python311-twisted-conch, p-cpe:/a:novell:suse_linux:python311-strictyaml, p-cpe:/a:novell:suse_linux:python311-zope.interface, p-cpe:/a:novell:suse_linux:python311-chardet, p-cpe:/a:novell:suse_linux:python311-paramiko, p-cpe:/a:novell:suse_linux:python311-twisted-conch_nacl, p-cpe:/a:novell:suse_linux:python311-pygithub, p-cpe:/a:novell:suse_linux:python311-twisted-all_non_platform, p-cpe:/a:novell:suse_linux:python311-distro, p-cpe:/a:novell:suse_linux:python311-pygments, p-cpe:/a:novell:suse_linux:python311-pkginfo, p-cpe:/a:novell:suse_linux:python311-requests-oauthlib, p-cpe:/a:novell:suse_linux:python311-psutil, p-cpe:/a:novell:suse_linux:python311-aiosignal, p-cpe:/a:novell:suse_linux:python311-wheel, p-cpe:/a:novell:suse_linux:python311-service_identity, p-cpe:/a:novell:suse_linux:python311-fixedint, p-cpe:/a:novell:suse_linux:python311-semver, p-cpe:/a:novell:suse_linux:python311-sortedcontainers, p-cpe:/a:novell:suse_linux:python311-importlib-metadata, p-cpe:/a:novell:suse_linux:python311-twisted-tls, p-cpe:/a:novell:suse_linux:python311-pip, p-cpe:/a:novell:suse_linux:python311-hyperlink, p-cpe:/a:novell:suse_linux:python311-opentelemetry-api, p-cpe:/a:novell:suse_linux:python311-httpretty, p-cpe:/a:novell:suse_linux:python311-tqdm, p-cpe:/a:novell:suse_linux:python311-opencensus, p-cpe:/a:novell:suse_linux:python311-twisted-serial, p-cpe:/a:novell:suse_linux:python311-websocket-client, p-cpe:/a:novell:suse_linux:python311-pycomposefile, p-cpe:/a:novell:suse_linux:python311-httplib2, p-cpe:/a:novell:suse_linux:python311-blinker, p-cpe:/a:novell:suse_linux:python311-pathspec, p-cpe:/a:novell:suse_linux:python311-yarl, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:python311-twisted-http2, p-cpe:/a:novell:suse_linux:python-paramiko-doc, p-cpe:/a:novell:suse_linux:python311-opentelemetry-sdk, p-cpe:/a:novell:suse_linux:python311-scp, p-cpe:/a:novell:suse_linux:python311-fabric, p-cpe:/a:novell:suse_linux:python311-pydash, p-cpe:/a:novell:suse_linux:python311-async_timeout, p-cpe:/a:novell:suse_linux:python311-automat, p-cpe:/a:novell:suse_linux:python311-marshmallow, p-cpe:/a:novell:suse_linux:python311-incremental, p-cpe:/a:novell:suse_linux:python311-sure, p-cpe:/a:novell:suse_linux:python311-oauthlib, p-cpe:/a:novell:suse_linux:python311-humanfriendly, p-cpe:/a:novell:suse_linux:python311-retrying, p-cpe:/a:novell:suse_linux:python311-javaproperties, p-cpe:/a:novell:suse_linux:python311-sshtunnel, p-cpe:/a:novell:suse_linux:python-tqdm-bash-completion, p-cpe:/a:novell:suse_linux:python311-frozenlist, p-cpe:/a:novell:suse_linux:python311-tabulate, p-cpe:/a:novell:suse_linux:python311-vcrpy, p-cpe:/a:novell:suse_linux:python311-wrapt, p-cpe:/a:novell:suse_linux:python311-fakeredis, p-cpe:/a:novell:suse_linux:python311-avro, p-cpe:/a:novell:suse_linux:python311-fluidity-sm, p-cpe:/a:novell:suse_linux:python311-antlr4-python3-runtime, p-cpe:/a:novell:suse_linux:python311-isodate, p-cpe:/a:novell:suse_linux:python311-deprecated, p-cpe:/a:novell:suse_linux:python311-argcomplete, p-cpe:/a:novell:suse_linux:python311-twisted, p-cpe:/a:novell:suse_linux:python311-knack, p-cpe:/a:novell:suse_linux:python311-typing_extensions, p-cpe:/a:novell:suse_linux:python311-xmltodict, p-cpe:/a:novell:suse_linux:python311-opentelemetry-test-utils

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2024

Vulnerability Publication Date: 3/26/2023

Reference Information

CVE: CVE-2023-28858, CVE-2023-28859

SuSE: SUSE-SU-2024:1639-1