Bug 16373

Summary: ipython new security issue fixed upstream in 3.2.1 (CVE-2015-5607)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Philippe Makowski <makowski.mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 5   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/652942/
Whiteboard: MGA4TOO has_procedure
Source RPM: ipython-3.2.0-2.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 16183    
Bug Blocks:    

Description David Walser 2015-07-13 19:18:19 CEST 
A CVE was requested for a security issue in IPython:
http://www.openwall.com/lists/oss-security/2015/07/12/4

The message above has links to commits to fix the issue in the 2.x and 3.x branches, but older versions are also affected (including the one in Mageia 4).

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-13 19:18:33 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Philippe Makowski 2015-07-14 13:15:50 CEST 
ok for cauldron and Mga5, but for Mga4, I don't see how to backport, sorry
Comment 2 Philippe Makowski 2015-07-14 13:20:44 CEST 
packages in 5/core/updates_testing :

python3-ipython-2.3.0-2.2.mga5.noarch
ipython-2.3.0-2.2.mga5.src
ipython-2.3.0-2.2.mga5.noarch
ipython-doc-2.3.0-2.2.mga5.noarch


Cauldron updated to 3.2.1
Comment 3 David Walser 2015-07-14 20:51:26 CEST 
Would it hurt to update Mageia 4 to a newer version?  I don't know enough about IPython to say.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 4 Philippe Makowski 2015-07-15 18:28:48 CEST 
(In reply to David Walser from comment #3)
> Would it hurt to update Mageia 4 to a newer version?  I don't know enough
> about IPython to say.

That's what I'm investigating now
Comment 5 Philippe Makowski 2015-07-15 19:34:46 CEST 
reading "Backwards incompatible changes" in http://ipython.org/ipython-doc/3/whatsnew/version2.0.html I see no big problems

so here it is :

packages in 4/core/updates_testing :
ipython-2.3.0-1.mga4.noarch
ipython-2.3.0-1.mga4.src
David Walser 2015-07-15 19:58:37 CEST

Depends on: (none) => 16183

Comment 6 David Walser 2015-07-21 16:47:11 CEST 
CVE-2015-5607 assigned:
http://openwall.com/lists/oss-security/2015/07/21/3

Summary: ipython new security issue fixed upstream in 3.2.1 => ipython new security issue fixed upstream in 3.2.1 (CVE-2015-5607)

Comment 7 Philippe Makowski 2015-07-25 17:04:01 CEST 
see previous test procedure in https://bugs.mageia.org/show_bug.cgi?id=13744#c1

Whiteboard: MGA4TOO => MGA4TOO has_procedure

Comment 8 David Walser 2015-07-30 18:50:06 CEST 
Fedora has issued an advisory for this on July 17:
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162671.html

URL: (none) => http://lwn.net/Vulnerabilities/652942/

Comment 9 David Walser 2015-08-03 22:57:15 CEST 
Fixed in:
http://advisories.mageia.org/MGASA-2015-0300.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED