Bug 25768

Summary: python-werkzeug new security issue CVE-2019-14806
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, jani.valimaa, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-werkzeug-0.15.2-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-11-26 22:48:30 CET 
openSUSE has issued an advisory on September 17:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00101.html

The issue is fixed upstream in 0.15.3.
David Walser 2019-11-26 22:48:41 CET

CC: (none) => geiger.david68210, jani.valimaa

Comment 1 David GEIGER 2019-11-27 06:50:44 CET 
Done!
Comment 2 Lewis Smith 2019-11-27 09:59:06 CET 
Assigning to neoclust as registered maintainer.

Assignee: bugsquad => mageia

Comment 3 David Walser 2019-11-27 18:18:53 CET 
Advisory:
========================

Updated python-werkzeug packages fix security vulnerability:

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient
debugger PIN randomness because Docker containers share the same machine id
(CVE-2019-14806).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806
https://lists.opensuse.org/opensuse-updates/2019-09/msg00101.html
========================

Updated packages in core/updates_testing:
========================
python2-werkzeug-0.15.3-1.mga7
python3-werkzeug-0.15.3-1.mga7

from python-werkzeug-0.15.3-1.mga7.src.rpm

Assignee: mageia => qa-bugs
CC: (none) => mageia

Comment 4 Herman Viaene 2019-12-04 17:40:25 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
As in bug 22105 Comment 3 urpmq did not show something easy to test;
Continued along Dave in Comment, installed  openerd-server, but this one comes with its own problems as trying to start , fails on 
/etc/openerp/start.d not found.
Otherwise the installation does ot seem to harm something else.

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-01-03 21:32:04 CET 
giving this an OK based on Herman's clean install. Validating. Advisory in Comment 3.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 12:37:35 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2020-01-05 16:39:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0004.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED