| Summary: | python-sqlalchemy new security issues CVE-2019-7164 and CVE-2019-7548 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, jani.valimaa, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | python-sqlalchemy-1.2.12-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-11-26 21:33:19 CET
David Walser
2019-11-26 21:33:32 CET
CC:
(none) =>
geiger.david68210, jani.valimaa
David Walser
2019-11-26 21:33:46 CET
Summary:
python-sqlalchemy new security issues =>
python-sqlalchemy new security issues CVE-2019-7164 and CVE-2019-7548 Assigning to philippem as the relevant registered maintainer. Assignee:
bugsquad =>
makowski.mageia I thought he left Mageia. Done updating to latest 1.2.19 release from 1.2.x branch and adding a debian patch! Advisory: ======================== Updated python-sqlalchemy packages fix security vulnerabilities: SQL Injection via the order_by parameter (CVE-2019-7164). SQL Injection via the group_by parameter (CVE-2019-7548). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548 https://lists.opensuse.org/opensuse-updates/2019-08/msg00221.html ======================== Updated packages in core/updates_testing: ======================== python2-sqlalchemy-1.2.19-1.mga7 python3-sqlalchemy-1.2.19-1.mga7 from python-sqlalchemy-1.2.19-1.mga7.src.rpm Assignee:
makowski.mageia =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues Ref to bug 1738 Comment 5 for testing,(gourmet appears in the required list forpython2-sqlalchemy) so installed gourmet and imported recipe $ gourmet Gtk-Message: 10:59:02.350: Failed to load module "canberra-gtk-module" No gst player No windows player CONTENT TYPE = text/html; charset=UTF-8 emit ('completed',) emit ('done',) Doing import of http://www.canadianwineguy.com/2007/08/07/chili-recipe/ <web_import_plugin.generic_web_importer_plugin.GenericWebImporter instance at 0x7f89bc4370a0> HERE's the data we got: <!DOCTYPE html> <html lang="en-US"> and a lot more feedback as operations progressed. Created a shopping list, tried out the units converter, but couldn't get this one to change the units in a shopping list or a displayed recipe, but that is probably just me... Used anki to test python3-sqlalchemy, also works OK. Whiteboard:
(none) =>
MGA7-64-OK (In reply to Herman Viaene from comment #5) > Used anki to test python3-sqlalchemy, also works OK. Herman, did you use anki before or after updating the glib packages in Bug 25276? If after, I believe it should count as a test of those packages too, and enough verification to give that bug an OK and send it on its way. See Bug 25525 for further information. CC:
(none) =>
andrewsfarm Since this is listed as a critical update, I'm sending it along rather than wait for the answer to the question I posed in Comment 6. Herman, if you could try anki as part of a test for Bug 25276, I'd appreciate it. Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-11-30 11:17:23 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0350.html Status:
NEW =>
RESOLVED |