| Summary: | jython new security issue CVE-2016-4000 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | Nicolas Lécureuil <mageia> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, luigiwalser, marja11, wilcal.int |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | jython-2.7-3.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Zombie Ryushu
2017-06-23 09:38:41 CEST
Are we affected? We have jython-2.2.1-18.mga5 in stable and jython-2.7-3.mga6 in cauldron Whiteboard:
(none) =>
MGA5TOO?? The actual source of this bug is a Debian advisory from June 22: https://www.debian.org/security/2017/dsa-3893 I don't see any information saying that certain versions aren't vulnerable, so I'd assume Mageia 5 and Cauldron both are affected. Whiteboard:
MGA5TOO?? =>
MGA5TOO Should this hold up the release of M6? CC:
(none) =>
wilcal.int (In reply to William Kenney from comment #3) > Should this hold up the release of M6? Please don't go around wasting our time posting that to every security bug. I just wanted to note that Nicolas backported a patch from Debian to fix this in Cauldron, but the build failed with a weird error. jython-2.7-4.mga6 uploaded for Cauldron by Nicolas and David. Thanks! Whiteboard:
MGA5TOO =>
(none) For mga5 I think that our 2.2.1 release is not affected, there are some missing files between the source tarball and the patch, I think also that this version is very very too old. Also any others distributions have not fixed this CVE for the 2.2.1 release. Thanks. We can reopen if someone fixes it for 2.2.1. Status:
NEW =>
RESOLVED |