| Summary: | python, python3 new security issues CVE-2019-16056 and CVE-2019-16935 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | geiger.david68210, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | python-2.7.16-3.mga8.src.rpm, python3-3.7.3-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 24997 | ||
|
Description
David Walser
2019-10-31 05:01:57 CET
David Walser
2019-10-31 05:02:09 CET
Whiteboard:
(none) =>
MGA7TOO Assigning to python stack group. Neither python nor python3 have specific maintainers. Assignee:
bugsquad =>
python Is these security issues fixed in 3.7.5 release? if yes should we go with this release? CC:
(none) =>
geiger.david68210 It looks like both fixes are in 3.7.5. done! Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied (CVE-2019-16056). It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack (CVE-2019-16935). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935 https://usn.ubuntu.com/4151-1/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.17-1.1.mga7 libpython2.7-2.7.17-1.1.mga7 libpython2.7-stdlib-2.7.17-1.1.mga7 libpython2.7-testsuite-2.7.17-1.1.mga7 libpython-devel-2.7.17-1.1.mga7 python-docs-2.7.17-1.1.mga7 tkinter-2.7.17-1.1.mga7 tkinter-apps-2.7.17-1.1.mga7 python3-3.7.5-1.mga7 libpython3.7-3.7.5-1.mga7 libpython3.7-stdlib-3.7.5-1.mga7 libpython3.7-testsuite-3.7.5-1.mga7 libpython3-devel-3.7.5-1.mga7 python3-docs-3.7.5-1.mga7 tkinter3-3.7.5-1.mga7 tkinter3-apps-3.7.5-1.mga7 from SRPMS: python-2.7.17-1.1.mga7.src.rpm python3-3.7.5-1.mga7.src.rpm Version:
Cauldron =>
7 Mageia7, x86_64 Installed missing python packages wrt the updates list. Found a POC for CVE-2019-16935 https://bugs.python.org/issue38243 Not at all sure how to run this: Launched Chromium browser. $ python poc.py In the browser at localhost:8000 "python says 1 " then " test<script> test<script> Methods" The "1" seems to correspond to the 1 in the code. Updated the packages. Ran the POC again. Launched chromium browser and saw the same display at localhost:8000. No idea what is going on here so can make no comment about the POC results. Tested python2.7 by running calibre under strace. The output showed many references to python2.7/site-packages. The application runs fine. Also ran a simple test script to put python through its paces at an elementary level, including trapping a divide-by-zero floating point exception and prompting for user input. Ran a similar test for python3 but had to remove the user interaction because it seems to work differently in python3. Ran a few utility scripts for both versions of python - all worked fine. This looks good for 64-bits. CC:
(none) =>
tarazed25 (In reply to David Walser from comment #7) > David Geiger, can we address Bug 24997? Yes these security fixes seems also fixed in python 3.7.5 and python 2.7.17 (In reply to David GEIGER from comment #8) > (In reply to David Walser from comment #7) > > David Geiger, can we address Bug 24997? > > Yes these security fixes seems also fixed in python 3.7.5 and python 2.7.17 Good, flushing out then Keywords:
feedback =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0318.html Resolution:
(none) =>
FIXED Thanks. We should have added those to the advisory though.
David Walser
2019-11-08 18:08:58 CET
Blocks:
(none) =>
24997 (In reply to David Walser from comment #11) > Thanks. We should have added those to the advisory though. We can add them to the advisory on advisories.mageia.org if someone writes what are missing. (In reply to Thomas Backlund from comment #12) > (In reply to David Walser from comment #11) > > Thanks. We should have added those to the advisory though. > > We can add them to the advisory on advisories.mageia.org if someone writes > what are missing. https://bugs.mageia.org/show_bug.cgi?id=24997#c5 (In reply to David Walser from comment #13) > (In reply to Thomas Backlund from comment #12) > > (In reply to David Walser from comment #11) > > > Thanks. We should have added those to the advisory though. > > > > We can add them to the advisory on advisories.mageia.org if someone writes > > what are missing. > > https://bugs.mageia.org/show_bug.cgi?id=24997#c5 Advisory updated. This update also fixed CVE-2018-20852: https://lists.opensuse.org/opensuse-updates/2019-08/msg00178.html |