| Summary: | python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | python-jinja2-2.8-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | file adapted to python and python3 | ||
|
Description
David Walser
2019-05-08 13:42:42 CEST
Advisory: ======================== Updated python-jinja2 packages fix security vulnerability: Sandbox escape due to information disclosure via str.format (CVE-2016-10745). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745 https://access.redhat.com/errata/RHSA-2019:1022 ======================== Updated packages in core/updates_testing: ======================== python-jinja2-2.8.1-1.mga6 python3-jinja2-2.8.1-1.mga6 from python-jinja2-2.8.1-1.mga6.src.rpm Assignee:
bugsquad =>
qa-bugs RedHat has issued an advisory today (May 13): https://access.redhat.com/errata/RHSA-2019:1152 The issue is fixed upstream in 2.10.1. Summary:
python-jinja2 new security issue CVE-2016-10745 =>
python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906 Fixed for mga6! Advisory: ======================== Updated python-jinja2 packages fix security vulnerabilities: Sandbox escape due to information disclosure via str.format (CVE-2016-10745). str.format_map allows sandbox escape (CVE-2019-10906). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906 https://access.redhat.com/errata/RHSA-2019:1022 https://access.redhat.com/errata/RHSA-2019:1152 ======================== Updated packages in core/updates_testing: ======================== python-jinja2-2.10.1-1.mga6 python3-jinja2-2.10.1-1.mga6 from python-jinja2-2.10.1-1.mga6.src.rpm Assignee:
geiger.david68210 =>
qa-bugs MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Followed test as per bug 12265, the test file and Comment 9. At CLI: $ python test.py Hello. If you see this with no errors then it worked :) but as this update is also on python3: $ python3 test.py File "test.py", line 4 print output ^ SyntaxError: Missing parentheses in call to 'print' I am not fluent at python and lack the time now to look into it, so abandoning for now until later or someone else picks the python3 issue up. CC:
(none) =>
herman.viaene Rplying to Herman comment 6: Yes, the parentheses are required in python3. It is better to write scripts eith print( whatever ) for either version of python because python2.7 izaccepts both forms. Not in a position to do much testing these days but may pick it up later. Len CC:
(none) =>
tarazed25 Changed the test file following Len's hint. Now I get. $ python test.py Hello. If you see this with no errors then it worked :) and $ python3 test.py Hello. If you see this with no errors then it worked :) So OK for me, I will upload the adapted test.py file. Whiteboard:
(none) =>
MGA6-32-OK Created attachment 11000 [details]
file adapted to python and python3
Advisory committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0177.html Resolution:
(none) =>
FIXED |