Bug 29052

Summary: python-django-registration new security issue CVE-2021-21416
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, tarazed25, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-django-registration-3.0.1-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-30 23:31:58 CEST 
openSUSE has issued an advisory on April 19:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2F72NF6ZBHDNQRLYZZFU7B52UQ4CZZRE/

The issue is fixed upstream in 3.1.2.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-30 23:32:10 CEST

Status comment: (none) => Fixed upstream in 3.1.2
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-02 21:37:15 CEST 
neoclust has already done the update, so assigning this to you.

Assignee: bugsquad => mageia

Comment 2 David Walser 2021-07-01 18:56:43 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 3 Nicolas Lécureuil 2021-07-24 13:29:04 CEST 
cauldron is with version 3.2

Version: Cauldron => 8

Comment 4 Nicolas Lécureuil 2021-12-07 00:04:14 CET 
version 3.2 pushed in mga8:


src:
    - python-django-registration-3.2-1.mga8

Status comment: Fixed upstream in 3.1.2 => (none)
Assignee: mageia => qa-bugs

Nicolas Lécureuil 2021-12-07 00:04:27 CET

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 5 David Walser 2021-12-07 00:14:20 CET 
RPM is:
python3-django-registration-3.2-1.mga8
Comment 6 Herman Viaene 2021-12-08 15:00:50 CET 
Sorry, the following pakage cannot be selected:

- python3-django-registration-3.2-1.mga8.noarch (beause of  unfulfilled python3.8dist(django)[< 3])

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2021-12-12 10:18:46 CET 
Confirmed that here.  Adding feedback marker.

CC: (none) => tarazed25
Keywords: (none) => feedback

papoteur 2022-05-12 18:08:09 CEST

CC: (none) => yves.brungard_mageia
Assignee: qa-bugs => python

Comment 8 papoteur 2022-05-12 19:13:16 CEST 
Hello,
It seems that rpmbuild has difficulty to manage versionning requires from python:
urpmq --requires --media Testing python3-django-registration
python(abi)[== 3.8]
python3.8dist(confusable-homoglyphs)[>= 3]
python3.8dist(django)[< 3]
python3.8dist(django)[> 3.1]
python3dist(django)

where in Python setup.py says:
 install_requires=["Django>=2.2,!=3.0.*", "confusable_homoglyphs~=3.0"],

Actually, django is in 3.2
Thus, I suggest to patch the setup.py in this way:
 install_requires=["Django>=3.1.*", "confusable_homoglyphs~=3.0"],
Comment 9 David Walser 2022-05-12 22:04:16 CEST 
Yes, rpmbuild doesn't parse those things correctly.  We have patches for that in a lot of packages.
Comment 10 papoteur 2022-05-13 14:28:51 CEST 
A new build:
python3-django-registration-3.2-2.mga8.noarch.rpm
papoteur 2022-05-13 14:29:06 CEST

Assignee: python => qa-bugs

Comment 11 David Walser 2022-05-13 15:24:50 CEST 
SRPM:
python-django-registration-3.2-2.mga8.src.rpm

Keywords: feedback => (none)

Comment 12 Herman Viaene 2022-05-14 11:10:07 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No previous updates and both
# urpmq --whatrequires python3-django-registration
python3-django-registration
# urpmq --whatrequires-recursive python3-django-registration
python3-django-registration
return nothing, so OK on clean install as with other developer's stuff.

Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2022-05-15 03:47:31 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-15 04:25:03 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2022-05-15 12:07:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0178.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED