{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for python-nltk","title":"Title of the patch"},{"category":"description","text":"This update for python-nltk fixes the following issues:\n\nUpdate to 3.7\n\n  - Improve and update the NLTK team page on nltk.org (#2855,\n    #2941)\n  - Drop support for Python 3.6, support Python 3.10 (#2920)\n\n- Update to 3.6.7\n\n  - Resolve IndexError in `sent_tokenize` and `word_tokenize`\n    (#2922)\n\n- Update to 3.6.6\n\n  - Refactor `gensim.doctest` to work for gensim 4.0.0 and up\n    (#2914)\n  - Add Precision, Recall, F-measure, Confusion Matrix to Taggers\n    (#2862)\n  - Added warnings if .zip files exist without any corresponding\n    .csv files. (#2908)\n  - Fix `FileNotFoundError` when the `download_dir` is\n    a non-existing nested folder (#2910)\n  - Rename omw to omw-1.4 (#2907)\n  - Resolve ReDoS opportunity by fixing incorrectly specified\n    regex (#2906, boo#1191030, CVE-2021-3828).\n  - Support OMW 1.4 (#2899)\n  - Deprecate Tree get and set node methods (#2900)\n  - Fix broken inaugural test case (#2903)\n  - Use Multilingual Wordnet Data from OMW with newer Wordnet\n    versions (#2889)\n  - Keep NLTKs 'tokenize' module working with pathlib (#2896)\n  - Make prettyprinter to be more readable (#2893)\n  - Update links to the nltk book (#2895)\n  - Add `CITATION.cff` to nltk (#2880)\n  - Resolve serious ReDoS in PunktSentenceTokenizer (#2869)\n  - Delete old CI config files (#2881)\n  - Improve Tokenize documentation + add TokenizerI as superclass\n    for TweetTokenizer (#2878)\n  - Fix expected value for BLEU score doctest after changes from\n    #2572\n  - Add multi Bleu functionality and tests (#2793)\n  - Deprecate 'return_str' parameter in NLTKWordTokenizer and\n    TreebankWordTokenizer (#2883)\n  - Allow empty string in CFG's + more (#2888)\n  - Partition `tree.py` module into `tree` package + pickle fix\n    (#2863)\n  - Fix several TreebankWordTokenizer and NLTKWordTokenizer bugs\n    (#2877)\n  - Rewind Wordnet data file after each lookup (#2868)\n  - Correct __init__ call for SyntaxCorpusReader subclasses\n    (#2872)\n  - Documentation fixes (#2873)\n  - Fix levenstein distance for duplicated letters (#2849)\n  - Support alternative Wordnet versions (#2860)\n  - Remove hundreds of formatting warnings for nltk.org (#2859)\n  - Modernize `nltk.org/howto` pages (#2856)\n  - Fix Bleu Score smoothing function from taking log(0) (#2839)\n  - Update third party tools to newer versions and removing\n    MaltParser fixed version (#2832)\n  - Fix TypeError: _pretty() takes 1 positional argument but 2\n    were given in sem/drt.py (#2854)\n  - Replace `http` with `https` in most URLs (#2852)\n\n- Update to 3.6.5\n\n  - modernised nltk.org website\n  - addressed LGTM.com issues\n  - support ZWJ sequences emoji and skin tone modifer emoji in\n    TweetTokenizer\n  - METEOR evaluation now requires pre-tokenized input\n  - Code linting and type hinting\n  - implement get_refs function for DrtLambdaExpression\n  - Enable automated CoreNLP, Senna, Prover9/Mace4, Megam,\n    MaltParser CI tests\n  - specify minimum regex version that supports regex.Pattern\n  - avoid re.Pattern and regex.Pattern which fail for Python 3.6,\n    3.7\n\n- Update to 3.6.4\n\n  - deprecate `nltk.usage(obj)` in favor of `help(obj)`\n  - resolve ReDoS vulnerability in Corpus Reader\n  - solidify performance tests\n  - improve phone number recognition in tweet tokenizer\n  - refactored CISTEM stemmer for German\n  - identify NLTK Team as the author\n  - replace travis badge with github actions badge\n  - add SECURITY.md\n\n- Update to 3.6.3\n\n  - Dropped support for Python 3.5\n  - Run CI tests on Windows, too\n  - Moved from Travis CI to GitHub Actions\n  - Code and comment cleanups\n  - Visualize WordNet relation graphs using Graphviz\n  - Fixed large error in METEOR score\n  - Apply isort, pyupgrade, black, added as pre-commit hooks\n  - Prevent debug_decisions in Punkt from throwing IndexError\n  - Resolved ZeroDivisionError in RIBES with dissimilar sentences\n  - Initialize WordNet IC total counts with smoothing value\n  - Fixed AttributeError for Arabic ARLSTem2 stemmer\n  - Many fixes and improvements to lm language model package\n  - Fix bug in nltk.metrics.aline, C_skip = -10\n  - Improvements to TweetTokenizer\n  - Optional show arg for FreqDist.plot, ConditionalFreqDist.plot\n  - edit_distance now computes Damerau-Levenshtein edit-distance\n\n- Update to 3.6.2\n\n  - move test code to nltk/test\n  - fix bug in NgramAssocMeasures (order preserving fix)\n\n- Update to 3.6\n\n  - add support for Python 3.9\n  - add Tree.fromlist\n  - compute Minimum Spanning Tree of unweighted graph using BFS\n  - fix bug with infinite loop in Wordnet closure and tree\n  - fix bug in calculating BLEU using smoothing method 4\n  - Wordnet synset similarities work for all pos\n  - new Arabic light stemmer (ARLSTem2)\n  - new syllable tokenizer (LegalitySyllableTokenizer)\n  - remove nose in favor of pytest\n\n- Update to v3.5\n\n  * add support for Python 3.8\n  * drop support for Python 2\n  * create NLTK's own Tokenizer class distinct from the Treebank\n    reference tokeniser\n  * update Vader sentiment analyser\n  * fix JSON serialization of some PoS taggers\n  * minor improvements in grammar.CFG, Vader, pl196x corpus reader,\n    StringTokenizer\n  * change implementation <= and >= for FreqDist so they are partial\n    orders\n  * make FreqDist iterable\n  * correctly handle Penn Treebank trees with a unlabeled branching\n    top node\n\n- Update to 3.4.5 (boo#1146427, CVE-2019-14751):","title":"Description of the patch"},{"category":"details","text":"openSUSE-2022-10040","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10040-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2022:10040-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2022:10040-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/"},{"category":"self","summary":"SUSE Bug 1146427","url":"https://bugzilla.suse.com/1146427"},{"category":"self","summary":"SUSE Bug 1191030","url":"https://bugzilla.suse.com/1191030"},{"category":"self","summary":"SUSE CVE CVE-2019-14751 page","url":"https://www.suse.com/security/cve/CVE-2019-14751/"},{"category":"self","summary":"SUSE CVE CVE-2021-3828 page","url":"https://www.suse.com/security/cve/CVE-2021-3828/"}],"title":"Security update for python-nltk","tracking":{"current_release_date":"2022-07-03T14:01:14Z","generator":{"date":"2022-07-03T14:01:14Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2022:10040-1","initial_release_date":"2022-07-03T14:01:14Z","revision_history":[{"date":"2022-07-03T14:01:14Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"python3-nltk-3.7-bp152.3.3.1.noarch","product":{"name":"python3-nltk-3.7-bp152.3.3.1.noarch","product_id":"python3-nltk-3.7-bp152.3.3.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP2","product":{"name":"SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2"}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python3-nltk-3.7-bp152.3.3.1.noarch as component of SUSE Package Hub 15 SP2","product_id":"SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"},"product_reference":"python3-nltk-3.7-bp152.3.3.1.noarch","relates_to_product_reference":"SUSE Package Hub 15 SP2"}]},"vulnerabilities":[{"cve":"CVE-2019-14751","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-14751"}],"notes":[{"category":"general","text":"NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]},"references":[{"category":"external","summary":"CVE-2019-14751","url":"https://www.suse.com/security/cve/CVE-2019-14751"},{"category":"external","summary":"SUSE Bug 1146427 for CVE-2019-14751","url":"https://bugzilla.suse.com/1146427"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.0"},"products":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]}],"threats":[{"category":"impact","date":"2022-07-03T14:01:14Z","details":"important"}],"title":"CVE-2019-14751"},{"cve":"CVE-2021-3828","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-3828"}],"notes":[{"category":"general","text":"nltk is vulnerable to Inefficient Regular Expression Complexity","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]},"references":[{"category":"external","summary":"CVE-2021-3828","url":"https://www.suse.com/security/cve/CVE-2021-3828"},{"category":"external","summary":"SUSE Bug 1191030 for CVE-2021-3828","url":"https://bugzilla.suse.com/1191030"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Package Hub 15 SP2:python3-nltk-3.7-bp152.3.3.1.noarch"]}],"threats":[{"category":"impact","date":"2022-07-03T14:01:14Z","details":"important"}],"title":"CVE-2021-3828"}]}