Bug 24340

Summary: python new security issue CVE-2019-5010
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, marja11, pikachu17997, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: python-2.7.15-9.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-02-10 22:34:29 CET 
SUSE has issued an advisory on February 6:
http://lists.suse.com/pipermail/sle-security-updates/2019-February/005089.html

The issue also affects python3 (Bug 23664).
David Walser 2019-02-10 22:34:43 CET

Whiteboard: (none) => MGA6TOO

Marja Van Waes 2019-02-12 08:23:56 CET

CC: (none) => marja11
Assignee: bugsquad => python

Comment 1 David GEIGER 2019-02-12 08:35:53 CET 
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-02-12 13:35:58 CET 
Advisory:
========================

Updated python packages fix security vulnerability:

An exploitable denial-of-service vulnerability exists in the X509 certificate
parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509
certificate can cause a NULL pointer dereference, resulting in a denial of
service. An attacker can initiate or accept TLS connections using crafted
certificates to trigger this vulnerability (CVE-2019-5010).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
http://lists.suse.com/pipermail/sle-security-updates/2019-February/005089.html
========================

Updated packages in core/updates_testing:
========================
python-2.7.15-1.2.mga6
libpython2.7-2.7.15-1.2.mga6
libpython2.7-stdlib-2.7.15-1.2.mga6
libpython2.7-testsuite-2.7.15-1.2.mga6
libpython-devel-2.7.15-1.2.mga6
python-docs-2.7.15-1.2.mga6
tkinter-2.7.15-1.2.mga6
tkinter-apps-2.7.15-1.2.mga6

from python-2.7.15-1.2.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: python => qa-bugs
Version: Cauldron => 6
Severity: normal => major

Comment 3 Herman Viaene 2019-02-13 10:32:51 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 23061 for test ideas
$ cd /usr/lib/python2.7/bsddb/test/
$ python test_all.py

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berkeley DB 5.3.28: (September  9, 2013)
bsddb.db.version():   (5, 3, 28)
bsddb.db.full_version(): ('Berkeley DB 11g Release 2, library version 11.2.5.3.28: (September  9, 2013)', 11, 2, 5, 3, 28)
bsddb.db.__version__: 5.3.0
bsddb.db.cvsid:       $Id$
py module:            /usr/lib/python2.7/bsddb/__init__.pyc
extension module:     /usr/lib/python2.7/bsddb/__init__.pyc
python version:       2.7.15 (default, Feb 12 2019, 06:59:01) 
[GCC 5.5.0]
My pid:               11315
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Exception in thread reader 0:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.7/bsddb/test/test_thread.py", line 292, in readerThread
    rec = dbutils.DeadlockWrap(c.next, max_retries=10)
  File "/usr/lib/python2.7/bsddb/dbutils.py", line 68, in DeadlockWrap
    return function(*_args, **_kwargs)
DBLockDeadlockError: (-30993, 'BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock')

......
----------------------------------------------------------------------
Ran 479 tests in 30.168s

OK

If it says OK, I'm not going to contradict it.
Sonata opens OK
Opened new empty sla file in scribus, saved it, exit scribus and open the file again from caja.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Dave Hodgins 2019-02-14 07:05:01 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2019-02-14 09:40:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0084.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2019-02-15 01:00:01 CET 
openSUSE has issued an advisory for this today (February 14):
https://lists.opensuse.org/opensuse-updates/2019-02/msg00071.html
play game 2019-07-05 18:35:50 CEST

CC: (none) => pikachu17997