| Summary: | python-oauth2 new security issue CVE-2013-4346 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Philippe Makowski <makowski.mageia> |
| Status: | RESOLVED WONTFIX | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | ||
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/613457/ | ||
| Whiteboard: | |||
| Source RPM: | python-oauth2-1.5.170-2.3.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-26 22:55:33 CEST
(In reply to David Walser from comment #0) > Fedora has issued an advisory on September 13: > https://lists.fedoraproject.org/pipermail/package-announce/2014-September/ > 138701.html > > It looks like we fixed CVE-2013-4347 in Bug 11224, but didn't fix > CVE-2013-4346 at that time, but Fedora's advisory says both were fixed, > thanks to Philippe Makowski. > we did "mga 11224 multiple vulnerabilities in python-oauth2 (CVE-2013-4346, CVE-2013-4347" http://svnweb.mageia.org/packages/updates/3/python-oauth2/current/SPECS/python-oauth2.spec?r1=417316&r2=532500 in fact, Fedora applied my patches, but read https://bugs.mageia.org/show_bug.cgi?id=11224#c13, we choose to do nothing for CVE-2013-4346 Yes I know all of that. What I'm asking is, did Fedora actually do something for CVE-2013-4346 (i.e., is there something we *can* do), or were they mistaken in including that CVE in their advisory? They didn't mistaken, they applied my fix, and we decided to not apply it. so they are right to say that they fixed CVE-2013-4346 , even if we decided that we can't because we didn't want what Claire qualified as "Some regression". As I said : "if someone want to use this skeletal implementation, he have to be aware of CVE-2013-4346 and take care of this in his own code." OK. Status:
NEW =>
RESOLVED |