Bug 27056

Summary: python-ipaddress new security issue CVE-2020-14422
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-ipaddress-1.0.22-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-08-07 03:20:23 CEST 
openSUSE has issued an advisory on July 19:
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00041.html
Comment 1 Lewis Smith 2020-08-08 20:45:38 CEST 
This SRPM has no evident maintainer, so having to assign this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-08-10 09:11:17 CEST 
Done for mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-08-10 15:13:11 CEST 
Advisory:
========================

Updated python-ipaddress package fixes security vulnerability:

Hash collisions in IPv4Interface and IPv6Interface could lead to DOS
(CVE-2020-14422).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00041.html
========================

Updated packages in core/updates_testing:
========================
python2-ipaddress-1.0.22-1.1.mga7

from python-ipaddress-1.0.22-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2020-08-24 12:06:52 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
No wiki, no previous updates, so trying my own hand.
# urpmq --whatrequires python2-ipaddress
deluge
docker-compose
python-uritools
python2-backports-ssl_match_hostname
python2-ipaddress
python2-xmpp-backends

Deluge sounded somewhat familiar, so installed that one and run it with strace.
Added a torrent from http://ftp.tku.edu.tw/Linux/Mageia/iso/7.1/torrents/, and deleted it after successful download.
Checked trace and found refs to python-ipaddress , so good to go for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-08-25 02:25:22 CEST 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2020-08-25 08:17:24 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-08-25 10:14:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0343.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED