| Summary: | python new security issue CVE-2013-1753 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cmrisolde, davidwhodgins, geiger.david68210, makowski.mageia, rverschelde, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/591682/ | ||
| Whiteboard: | MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK 13041.adv | ||
| Source RPM: | python | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 12127 | ||
|
Description
David Walser
2014-03-18 17:58:10 CET
David Walser
2014-03-18 17:58:19 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO A CVE has been assigned for yet another zipfile issue in Python: http://openwall.com/lists/oss-security/2014/03/19/3 The upstream bug and commit to fix it are linked in the message above. Summary:
python new security issue CVE-2013-1753 =>
python new security issues CVE-2013-1753 and CVE-2013-7338 (In reply to David Walser from comment #1) > A CVE has been assigned for yet another zipfile issue in Python: > http://openwall.com/lists/oss-security/2014/03/19/3 > > The upstream bug and commit to fix it are linked in the message above. just when I finished the builds for all Mageia versions :( seems that I need another push Status:
NEW =>
ASSIGNED (In reply to David Walser from comment #1) > A CVE has been assigned for yet another zipfile issue in Python: > http://openwall.com/lists/oss-security/2014/03/19/3 > > The upstream bug and commit to fix it are linked in the message above. Philippe has notified me that that one affects python3, not python. Moved to Bug 13052. Summary:
python new security issues CVE-2013-1753 and CVE-2013-7338 =>
python new security issue CVE-2013-1753 Suggested advisory: =================== Updated python packages fix security vulnerabilities: * upstream fix for CVE-2013-1752 : multiple unbound readline() DoS flaws in python stdlib * upstream fixes for CVE-2013-1753 : gzip bomb and unbound read DoS flaw in python XMLRPC library References: http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html Packages : libpython2.7-2.7.6-1.1.mga4 libpython-devel-2.7.6-1.1.mga4 tkinter-2.7.6-1.1.mga4 tkinter-apps-2.7.6-1.1.mga4 python-2.7.6-1.1.mga4 python-docs-2.7.6-1.1.mga4 libpython2.7-2.7.6-1.1.mga3 libpython-devel-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3 from : python-2.7.6-1.1.mga3.src python-2.7.6-1.1.mga4.src Status:
ASSIGNED =>
NEW
Rémi Verschelde
2014-03-20 08:42:30 CET
CC:
(none) =>
remi
Philippe Makowski
2014-03-20 10:02:34 CET
CC:
(none) =>
makowski.mageia
Rémi Verschelde
2014-03-20 10:10:30 CET
Version:
3 =>
4 Thanks Philippe! Advisory: ======================== Updated python packages fix security vulnerabilities: Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules (CVE-2013-1752). A gzip bomb and unbound read denial of service flaw in python XMLRPC library (CVE-2013-1753). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753 http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html ======================== Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.1.mga3 libpython-devel-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3 libpython2.7-2.7.6-1.1.mga4 libpython-devel-2.7.6-1.1.mga4 tkinter-2.7.6-1.1.mga4 tkinter-apps-2.7.6-1.1.mga4 python-2.7.6-1.1.mga4 python-docs-2.7.6-1.1.mga4 from SRPMS: python-2.7.6-1.1.mga3.src.rpm python-2.7.6-1.1.mga4.src.rpm Blocks:
(none) =>
12127 Tested on Mga3 32-bit using PySol, IDLE and a few simple scripts of my own with and without Tkinter. No regressions noticed. Will now test Mga4 32-bit. Carolyn CC:
(none) =>
cmrisolde Same as above for 64-bit except that I couldn't find IDLE - has it been dropped from Mageia? - so I used Eric instead. No regressions noticed. Carolyn Whiteboard:
MGA3TOO MGA3-32-OK =>
MGA3TOO MGA3-32-OK MGA4-32-OK It seems that IDLE is included in tkinter-apps (and tkinter3-apps for IDLE3). Tested on Mga4 64-bit, including IDLE. It seems on Mga3 64-bit IDLE doesn't appear in the applications menu but it does on the others. My packages listed for update showed the name lib64python2.7..., the "64" seems to be missing in the above list of RPMs. Ditto for the devel one. No regressions noted. At the moment I can't test Mga3 64-bit, so I'll have to leave that one to someone else. Carolyn Whiteboard:
MGA3TOO MGA3-32-OK MGA4-32-OK =>
MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK Tested mga3_64, Testing complete for python-2.7.6-1.1.mga3, nothing to report and seems work fine here with some packages who needed python. lib64python2.7-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3 CC:
(none) =>
geiger.david68210 Advisory uploaded to svn. Validating the update. Someone from the sysadmin team please push 13041.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0139.html Status:
NEW =>
RESOLVED
David Walser
2014-03-24 19:18:07 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/591682/ |