Bug 11785

Summary: python3 yet another ssl.match_hostname() security issue (CVE-2013-7440)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, makowski.mageia, sysadmin-bugs, tmb, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575047/
Whiteboard: advisory has_procedure mga3-32-ok mga3-64-ok
Source RPM: python3-3.3.2-11.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 10758, 11283    

Description David Walser 2013-11-26 19:59:10 CET 
Fedora has issued an advisory on November 15:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html

They added this patch to fix it (same patch was used for 3.3.0 in Fedora 18):
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html

Mageia 3 is also affected.

Upstream reference for this issue:
http://bugs.python.org/issue17997#msg194950

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-26 19:59:17 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-11-26 20:07:56 CET

Blocks: (none) => 11726

Comment 2 Philippe Makowski 2013-11-26 23:10:52 CET 
Suggested advisory:
========================

Updated python3 packages fix security vulnerabilities:

Changed behavior of ssl.match_hostname() to follow RFC 6125 (mga#11785).

References:
https://bugs.mageia.org/show_bug.cgi?id=11785
http://bugs.python.org/issue17997#msg194950

Updated packages in core/updates_testing:
========================
lib64python3-devel-3.3.0-4.5.mga3.x86_64
python3-3.3.0-4.5.mga3.x86_64
tkinter3-apps-3.3.0-4.5.mga3.x86_64
python3-debuginfo-3.3.0-4.5.mga3.i586
tkinter3-3.3.0-4.5.mga3.x86_64
tkinter3-3.3.0-4.5.mga3.i586
tkinter3-apps-3.3.0-4.5.mga3.i586
python3-debuginfo-3.3.0-4.5.mga3.x86_64
lib64python3.3-3.3.0-4.5.mga3.x86_64
libpython3-devel-3.3.0-4.5.mga3.i586
python3-3.3.0-4.5.mga3.i586
libpython3.3-3.3.0-4.5.mga3.i586
python3-docs-3.3.0-4.5.mga3.noarch


Source RPMs: 
python3-3.3.0-4.5.mga3.src


Same in Cauldron with python3-3.3.2-13.mga4.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 3 David Walser 2013-11-26 23:25:12 CET 
Thanks Philippe!

We should add the Fedora advisory to the references too:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html

It looks like there may be some other packages affected, like python-setuptools:
https://bugzilla.redhat.com/show_bug.cgi?id=1023742

I wonder if there will be any others, like we had here before:
http://advisories.mageia.org/MGASA-2013-0252.html
http://advisories.mageia.org/MGASA-2013-0250.html

Whiteboard: MGA3TOO => (none)
CC: (none) => makowski.mageia
Version: Cauldron => 3

Comment 4 David Walser 2013-11-26 23:51:52 CET 
Fedora is preparing an update for python-setuptools for this also.

They patched 0.9.8 (same version we have in Mageia 3) here:
http://pkgs.fedoraproject.org/cgit/python-setuptools.git/commit/?h=f20&id=b920c69c80ac427d531a1ba340a37d3eff6dc1d5

I think that patch makes it use python-backports-ssl_match_hostname, which we don't currently have packaged for Mageia 3.

Based on this commit which updates to 1.3 (version we have in Cauldron), it looks like this issue was fixed upstream in 1.3:
http://pkgs.fedoraproject.org/cgit/python-setuptools.git/commit/?h=f20&id=c8db69c834b038228f74966ff73aaff18a43566b
Comment 5 Philippe Makowski 2013-11-27 14:37:44 CET 
python-backports-ssl_match_hostname is ok it have the fix

about python-setuptools :

Updated packages in core/updates_testing:
========================
python-pkg-resources-0.9.8-2.2.mga3.noarch
python-setuptools-0.9.8-2.2.mga3.noarch
python3-setuptools-0.9.8-2.2.mga3.noarch
python3-pkg-resources-0.9.8-2.2.mga3.noarch

Source RPMs:
python-setuptools-0.9.8-2.2.mga3.src


About python-virtualenv, it use setuptools v0.9.8, so yes it could be a candidate, but it is a nightmare since it is bundling setuptools
I will see with Fedora people to work seriously on that (https://bugzilla.redhat.com/show_bug.cgi?id=749378).
Comment 6 Philippe Makowski 2013-11-27 22:03:30 CET 
Additional info about python-virtualenv
they changed the way they bundle setuptools and it's harder to remove
but seems that a new version is coming soon that will update bundle setuptools
if you don't mind, we can wait a little for updating  python-virtualenv
or I have to patch the setuptools v0.9.8 they provide as a tar.gz :(

the possible list of others is (according to http://bugs.python.org/issue17997#msg195058)
python-urllib3 < 1.6 so in our case mga3 version only
bzr
python-tornado
python-pip
Comment 7 Philippe Makowski 2013-11-27 22:09:23 CET 
and also python-requests < 1.2.3 so in our case only mga3 that have a very old version 0.13.5 !
Comment 8 David Walser 2013-11-27 22:37:08 CET 
(In reply to Philippe Makowski from comment #6)
> if you don't mind, we can wait a little for updating  python-virtualenv

That'll be fine.  Thanks!
Comment 9 Philippe Makowski 2013-11-30 00:06:35 CET 
Updated packages in core/updates_testing:
========================

python-urllib3-1.7.1-1.1.mga3.noarch 

Source RPMs:
python-urllib3-1.7.1-1.1.mga3.src
Comment 10 Dave Hodgins 2013-11-30 14:12:49 CET 
Am I reading correctly that the full list of srpms is
python3-3.3.0-4.5.mga3.src
python-setuptools-0.9.8-2.2.mga3.src
python-urllib3-1.7.1-1.1.mga3.src

Any others expected?

CC: (none) => davidwhodgins
Whiteboard: (none) => feedback

Dave Hodgins 2013-11-30 14:15:51 CET

Blocks: (none) => 10758

Comment 11 Philippe Makowski 2013-11-30 14:30:28 CET 
Also python-tornado

Updated packages in core/updates_testing:
========================

python-tornado-doc-2.3-2.2.mga3.noarch
python-tornado-2.3-2.2.mga3.noarch 

Source RPMs:
python-tornado-2.3-2.2.mga3.src


Done also in Cauldron with python-tornado-3.1-4.mga4
Comment 12 David Walser 2013-11-30 16:52:28 CET 
It looks like python-virtualenv and python-pip are also possibilities.  What about python or python-requests or bzr?
Comment 13 Philippe Makowski 2013-11-30 16:57:20 CET 
(In reply to David Walser from comment #12)
> It looks like python-virtualenv and python-pip are also possibilities.  What
> about python or python-requests or bzr?

will try to do python-requests bzr python-pip python-virtualenv this we
about python 2 according to http://bugs.python.org/issue17997#msg195058 it is not affected
Comment 14 Philippe Makowski 2013-12-01 14:03:26 CET 
Updated packages in core/updates_testing:
========================

python-requests-0.13.5-2.2.mga3.noarch 
bzr-2.5.1-3.2.mga3.i586
bzr-2.5.1-3.2.mga3.x86_64
bzr-debuginfo-2.5.1-3.2.mga3.i586
bzr-debuginfo-2.5.1-3.2.mga3.x86_64 
python3-pip-1.3.1-2.2.mga3.noarch
python-pip-1.3.1-2.2.mga3.noarch 

Source RPMs:
python-requests-0.13.5-2.2.mga3.src
bzr-2.5.1-3.2.mga3.src
package python-pip-1.3.1-2.2.mga3.src


In Cauldron : (python-requests not need to be pached)
bzr-2.6.0-4.mga4
python-pip-1.4.1-4.mga4


For python-virtualenv I suggest to delay it I will try to solve it with the fix for mga#11283

so for this bug I think we have enough to push and announce
Comment 15 David Walser 2013-12-01 17:04:04 CET 
Thanks Philippe!  Removing the feedback marker.

Whiteboard: feedback => (none)

Comment 16 Philippe Makowski 2013-12-01 17:52:11 CET 
Updated packages in core/updates_testing:
========================

python-virtualenv-1.10.1-1.2.mga3.noarch

Source RPMs:
python-virtualenv-1.10.1-1.2.mga3.src 

This also fix mga#11283

In Cauldron :
python-virtualenv-1.10.1-6.mga4
Comment 17 Philippe Makowski 2013-12-02 11:54:16 CET 
So here the full Suggested advisory

Suggested advisory:
========================

Updated python3 packages fix security vulnerabilities:

Changed behavior of ssl.match_hostname() to follow RFC 6125 (mga#11785).

References:
https://bugs.mageia.org/show_bug.cgi?id=11785
http://bugs.python.org/issue17997#msg194950

Updated packages in core/updates_testing:
========================
lib64python3-devel-3.3.0-4.5.mga3.x86_64
python3-3.3.0-4.5.mga3.x86_64
tkinter3-apps-3.3.0-4.5.mga3.x86_64
python3-debuginfo-3.3.0-4.5.mga3.i586
tkinter3-3.3.0-4.5.mga3.x86_64
tkinter3-3.3.0-4.5.mga3.i586
tkinter3-apps-3.3.0-4.5.mga3.i586
python3-debuginfo-3.3.0-4.5.mga3.x86_64
lib64python3.3-3.3.0-4.5.mga3.x86_64
libpython3-devel-3.3.0-4.5.mga3.i586
python3-3.3.0-4.5.mga3.i586
libpython3.3-3.3.0-4.5.mga3.i586
python3-docs-3.3.0-4.5.mga3.noarch
python-virtualenv-1.10.1-1.2.mga3.noarch
python-requests-0.13.5-2.2.mga3.noarch 
bzr-2.5.1-3.2.mga3.i586
bzr-2.5.1-3.2.mga3.x86_64
bzr-debuginfo-2.5.1-3.2.mga3.i586
bzr-debuginfo-2.5.1-3.2.mga3.x86_64 
python3-pip-1.3.1-2.2.mga3.noarch
python-pip-1.3.1-2.2.mga3.noarch 
python-tornado-doc-2.3-2.2.mga3.noarch
python-tornado-2.3-2.2.mga3.noarch 
python-urllib3-1.7.1-1.1.mga3.noarch 
python-pkg-resources-0.9.8-2.2.mga3.noarch
python-setuptools-0.9.8-2.2.mga3.noarch
python3-setuptools-0.9.8-2.2.mga3.noarch
python3-pkg-resources-0.9.8-2.2.mga3.noarch


Source RPMs: 
python3-3.3.0-4.5.mga3.src
python-virtualenv-1.10.1-1.2.mga3.src 
python-requests-0.13.5-2.2.mga3.src
bzr-2.5.1-3.2.mga3.src
python-pip-1.3.1-2.2.mga3.src
python-tornado-2.3-2.2.mga3.src
python-urllib3-1.7.1-1.1.mga3.src
python-setuptools-0.9.8-2.2.mga3.src
Comment 18 David Walser 2013-12-02 14:25:04 CET 
Please add the Fedora advisory to the References too:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html
Comment 19 Dave Hodgins 2013-12-04 13:19:14 CET 
The fedora advisory lists CVE-2013-4238, which is for an Input Validation vulnerability in Python.

Is that included in this update? Is there a cvd for the ssl.match_hostname fix?
Comment 20 Philippe Makowski 2013-12-04 14:05:16 CET 
(In reply to Dave Hodgins from comment #19)
> The fedora advisory lists CVE-2013-4238, which is for an Input Validation
> vulnerability in Python.
> 
no, you see that in the change log, but it is not "listed"
it is an old story
Fri Aug 23 2013 Matej Stuchlik <mstuchli@redhat.com> - 3.3.2-6

> Is that included in this update?

and we also have this fix published :
http://advisories.mageia.org/MGASA-2013-0252.html


>Is there a cvd for the ssl.match_hostname fix?
I don't know
Comment 21 David Walser 2013-12-04 14:59:16 CET 
Here's the RedHat bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1023742

There doesn't seem to be a CVE for it yet, and I haven't seen one requested on oss-sec.
Comment 22 Dave Hodgins 2013-12-05 18:11:19 CET 
Advisory 11785.adv committed to svn.

Whiteboard: (none) => advisory

Dave Hodgins 2013-12-05 18:23:40 CET

Blocks: (none) => 11283

David Walser 2013-12-05 18:44:40 CET

Blocks: 11726 => (none)

Comment 23 claire robinson 2013-12-13 13:45:41 CET 
Most testing procedures here: https://bugs.mageia.org/show_bug.cgi?id=10391#c13

Whiteboard: advisory => advisory has_procedure

Comment 24 claire robinson 2013-12-13 13:53:28 CET 
python-urllib3 procedure: https://pypi.python.org/pypi/urllib3

import urllib3

http = urllib3.PoolManager()

r = http.request('GET', 'http://google.com/')

print r.status, r.data


python-setuptools procedure: https://bugs.mageia.org/show_bug.cgi?id=11169#c12
Comment 25 claire robinson 2013-12-13 13:58:32 CET 
i586

bzr-2.5.1-3.2.mga3.i586
bzr-debuginfo-2.5.1-3.2.mga3.i586
libpython3.3-3.3.0-4.5.mga3.i586
libpython3-devel-3.3.0-4.5.mga3.i586
python3-3.3.0-4.5.mga3.i586
python3-debuginfo-3.3.0-4.5.mga3.i586
python3-docs-3.3.0-4.5.mga3.noarch
python3-pip-1.3.1-2.2.mga3.noarch
python3-pkg-resources-0.9.8-2.2.mga3.noarch
python3-setuptools-0.9.8-2.2.mga3.noarch
python-pip-1.3.1-2.2.mga3.noarch 
python-pkg-resources-0.9.8-2.2.mga3.noarch
python-requests-0.13.5-2.2.mga3.noarch 
python-setuptools-0.9.8-2.2.mga3.noarch
python-tornado-2.3-2.2.mga3.noarch 
python-tornado-doc-2.3-2.2.mga3.noarch
python-urllib3-1.7.1-1.1.mga3.noarch 
python-virtualenv-1.10.1-1.2.mga3.noarch
tkinter3-3.3.0-4.5.mga3.i586
tkinter3-apps-3.3.0-4.5.mga3.i586


x86_64

bzr-2.5.1-3.2.mga3.x86_64
bzr-debuginfo-2.5.1-3.2.mga3.x86_64 
lib64python3.3-3.3.0-4.5.mga3.x86_64
lib64python3-devel-3.3.0-4.5.mga3.x86_64
python3-3.3.0-4.5.mga3.x86_64
python3-debuginfo-3.3.0-4.5.mga3.x86_64
python3-docs-3.3.0-4.5.mga3.noarch
python3-pip-1.3.1-2.2.mga3.noarch
python3-pkg-resources-0.9.8-2.2.mga3.noarch
python3-setuptools-0.9.8-2.2.mga3.noarch
python-pip-1.3.1-2.2.mga3.noarch 
python-pkg-resources-0.9.8-2.2.mga3.noarch
python-requests-0.13.5-2.2.mga3.noarch 
python-setuptools-0.9.8-2.2.mga3.noarch
python-tornado-2.3-2.2.mga3.noarch 
python-tornado-doc-2.3-2.2.mga3.noarch
python-urllib3-1.7.1-1.1.mga3.noarch 
python-virtualenv-1.10.1-1.2.mga3.noarch
tkinter3-3.3.0-4.5.mga3.x86_64
tkinter3-apps-3.3.0-4.5.mga3.x86_64
Comment 26 claire robinson 2013-12-13 14:47:08 CET 
Updated advisory uploaded with bug 11283 python-virtualenv added.
Comment 27 claire robinson 2013-12-13 15:00:16 CET 
python-urllib3 doesn't seem to work well with google.com, it doesn't seem to handle the redirect to google.co.uk very well. Substitute mageia.org in the test script to work around.
Comment 28 claire robinson 2013-12-13 16:42:53 CET 
Testing complete mga3 32

python3/tkinter/tkinter-apps
----------------------------
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py

Choose Run Module in the Run menuit'll run in the 2nd window. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working.

python-pip
----------
# pip install bubbles
Downloading/unpacking bubbles
  Downloading bubbles-0.1.tar.gz (40kB): 40kB downloaded
  Running setup.py egg_info for package bubbles
    
Installing collected packages: bubbles
  Running setup.py install for bubbles
    warning: build_py: byte-compiling is disabled, skipping.
    
    warning: install_lib: byte-compiling is disabled, skipping.
    
    
Successfully installed bubbles
Cleaning up...

# pip uninstall bubbles
Uninstalling bubbles:
  /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg-info
  /usr/lib/python2.7/site-packages/bubbles/__init__.py
  /usr/lib/python2.7/site-packages/bubbles/backends/__init__.py
  /usr/lib/python2.7/site-packages/bubbles/backends/sql/__init__.py
  /usr/lib/python2.7/site-packages/bubbles/backends/sql/objects.py
  /usr/lib/python2.7/site-packages/bubbles/backends/sql/ops.py
  /usr/lib/python2.7/site-packages/bubbles/backends/sql/utils.py
  /usr/lib/python2.7/site-packages/bubbles/backends/text/__init__.py
  /usr/lib/python2.7/site-packages/bubbles/backends/text/objects.py
  /usr/lib/python2.7/site-packages/bubbles/common.py
  /usr/lib/python2.7/site-packages/bubbles/core.py
  /usr/lib/python2.7/site-packages/bubbles/datautil.py
  /usr/lib/python2.7/site-packages/bubbles/doc.py
  /usr/lib/python2.7/site-packages/bubbles/errors.py
  /usr/lib/python2.7/site-packages/bubbles/extensions.py
  /usr/lib/python2.7/site-packages/bubbles/iterator.py
  /usr/lib/python2.7/site-packages/bubbles/metadata.py
  /usr/lib/python2.7/site-packages/bubbles/objects.py
  /usr/lib/python2.7/site-packages/bubbles/pipeline.py
  /usr/lib/python2.7/site-packages/bubbles/stores.py
  /usr/lib/python2.7/site-packages/bubbles/urlresource.py
Proceed (y/n)? y
  Successfully uninstalled bubbles

python-setuptools
-----------------
# easy_install bubbles
Searching for bubbles
Reading https://pypi.python.org/simple/bubbles/
Best match: bubbles 0.1
Downloading https://pypi.python.org/packages/source/b/bubbles/bubbles-0.1.tar.gz#md5=8c934d1609c700d3180107871b10d6d5
Processing bubbles-0.1.tar.gz
Writing /tmp/easy_install-eb92K3/bubbles-0.1/setup.cfg
Running bubbles-0.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-eb92K3/bubbles-0.1/egg-dist-tmp-bIllvD
warning: build_py: byte-compiling is disabled, skipping.

warning: install_lib: byte-compiling is disabled, skipping.

zip_safe flag not set; analyzing archive contents...
Adding bubbles 0.1 to easy-install.pth file

Installed /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg
Processing dependencies for bubbles
Finished processing dependencies for bubbles

# pip uninstall bubbles
Uninstalling bubbles:
  /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg
Proceed (y/n)? y
  Successfully uninstalled bubbles

python-tornado
--------------
$ cat helloworld.py 
import tornado.ioloop
import tornado.web

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write("Hello, world")

application = tornado.web.Application([
    (r"/", MainHandler),
])

if __name__ == "__main__":
    application.listen(8888)
    tornado.ioloop.IOLoop.instance().start()

$ python helloworld.py

In another terminal tab..
$ curl http://localhost:8888
Hello, world

python-requests
---------------
$ cat test.py 
import requests
r = requests.get('https://mageia.org')
print r.text

$ python test.py
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home of the Mageia project </title>
...etc

python-urllib3
--------------
$ cat test.py 
import urllib3
http = urllib3.PoolManager()
r = http.request('GET', 'http://mageia.org')
print r.status, r.data

$ python test.py 
200 <!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home of the Mageia project </title>
...etc

python-virtualenv
-----------------
$ cd test
$ virtualenv .
$ source bin/activate
$ pip install fabric

resulting dir's can be deleted when done.

bzr
---
Followed https://bugs.mageia.org/show_bug.cgi?id=10391#c13
Comment 29 claire robinson 2013-12-13 16:49:55 CET 
Forgot python3-setuptools & python3-pip

# python3-pip install bubbles
Downloading/unpacking bubbles
  Running setup.py egg_info for package bubbles
    
Installing collected packages: bubbles
  Running setup.py install for bubbles
    warning: build_py: byte-compiling is disabled, skipping.
    
    warning: install_lib: byte-compiling is disabled, skipping.
    
    
Successfully installed bubbles
Cleaning up...

# python3-pip uninstall bubbles
Uninstalling bubbles:
  /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg-info
  /usr/lib/python3.3/site-packages/bubbles/__init__.py
  /usr/lib/python3.3/site-packages/bubbles/backends/__init__.py
  /usr/lib/python3.3/site-packages/bubbles/backends/sql/__init__.py
  /usr/lib/python3.3/site-packages/bubbles/backends/sql/objects.py
  /usr/lib/python3.3/site-packages/bubbles/backends/sql/ops.py
  /usr/lib/python3.3/site-packages/bubbles/backends/sql/utils.py
  /usr/lib/python3.3/site-packages/bubbles/backends/text/__init__.py
  /usr/lib/python3.3/site-packages/bubbles/backends/text/objects.py
  /usr/lib/python3.3/site-packages/bubbles/common.py
  /usr/lib/python3.3/site-packages/bubbles/core.py
  /usr/lib/python3.3/site-packages/bubbles/datautil.py
  /usr/lib/python3.3/site-packages/bubbles/doc.py
  /usr/lib/python3.3/site-packages/bubbles/errors.py
  /usr/lib/python3.3/site-packages/bubbles/extensions.py
  /usr/lib/python3.3/site-packages/bubbles/iterator.py
  /usr/lib/python3.3/site-packages/bubbles/metadata.py
  /usr/lib/python3.3/site-packages/bubbles/objects.py
  /usr/lib/python3.3/site-packages/bubbles/pipeline.py
  /usr/lib/python3.3/site-packages/bubbles/stores.py
  /usr/lib/python3.3/site-packages/bubbles/urlresource.py
Proceed (y/n)? y
  Successfully uninstalled bubbles


# easy_install-3.3 bubbles
Searching for bubbles
Reading https://pypi.python.org/simple/bubbles/
Best match: bubbles 0.1
Downloading https://pypi.python.org/packages/source/b/bubbles/bubbles-0.1.tar.gz#md5=8c934d1609c700d3180107871b10d6d5
Processing bubbles-0.1.tar.gz
Writing /tmp/easy_install-c9_alu/bubbles-0.1/setup.cfg
Running bubbles-0.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-c9_alu/bubbles-0.1/egg-dist-tmp-snha8e
warning: build_py: byte-compiling is disabled, skipping.

warning: install_lib: byte-compiling is disabled, skipping.

zip_safe flag not set; analyzing archive contents...
Adding bubbles 0.1 to easy-install.pth file

Installed /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg
Processing dependencies for bubbles
Finished processing dependencies for bubbles

# python3-pip uninstall bubbles
Uninstalling bubbles:
  /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg
Proceed (y/n)? y
  Successfully uninstalled bubbles

Whiteboard: advisory has_procedure => advisory has_procedure mga3-32-ok

Comment 30 William Kenney 2013-12-13 17:05:28 CET 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
python

[root@localhost wilcal]# urpmi python
Package python-2.7.5-1.2.mga3.i586 is already installed

Install calibre and dia
runs calibre and dia from desktop icons

Install python updates from nonfree updates_testing:

[root@localhost wilcal]# urpmi python
Package python-2.7.5-1.3.mga3.i586 is already installed
runs calibre and dia from desktop icons

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int

Comment 31 claire robinson 2013-12-13 17:21:49 CET 
python 2.7 version is being updated in bug 10758 William

It's a bit confusing as we had multiple bugs for the same packages and the bug numbers are very similar too.

This bug is for python3 and some python & python3 modules.
Comment 32 claire robinson 2013-12-16 10:10:21 CET 
Testing mga3 64
Comment 33 claire robinson 2013-12-16 11:12:56 CET 
Testing complete mga3 64

Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: advisory has_procedure mga3-32-ok => advisory has_procedure mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 34 Thomas Backlund 2013-12-18 00:50:47 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0376.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 35 David Walser 2015-05-22 18:26:36 CEST 
CVE-2013-7440 has been allocated for this:
http://openwall.com/lists/oss-security/2015/05/21/12

Summary: python3 yet another ssl.match_hostname() security issue => python3 yet another ssl.match_hostname() security issue (CVE-2013-7440)