Bug 29897

Summary:	python-celery new security issue CVE-2021-23727
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	python-celery-5.1.2-1.mga9.src.rpm	CVE:
Status comment:

Description David Walser 2022-01-16 17:11:43 CET

Fedora has issued an advisory today (January 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/

The issue is fixed upstream in 5.2.2 (Fedora updated to 5.2.3):
https://github.com/celery/celery/blob/master/Changelog.rst#523

There is a corresponding update to python-kombu:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2P3MQZA5LYEILPH4PPNYOY5ADMSVDZ2H/
https://github.com/celery/kombu/blob/master/Changelog.rst#523

There is a PoC available:
https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953

Mageia 8 is also affected.

David Walser 2022-01-16 17:11:59 CET

Status comment: (none) => Fixed upstream in 5.2.2
Whiteboard: (none) => MGA8TOO

Nicolas Lécureuil 2022-01-16 20:44:29 CET

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia

Comment 1 David Walser 2022-01-16 22:02:07 CET

python-celery-5.2.3-1.mga9 uploaded for Cauldron.  python-kombu should be updated too.

Comment 2 Nicolas Lécureuil 2022-01-16 23:41:37 CET

Fixed in mga8:
src:
    - python-celery-5.0.5-1.1.mga8

Status comment: Fixed upstream in 5.2.2 => (none)
Assignee: python => qa-bugs

Comment 3 David Walser 2022-01-16 23:44:09 CET

RPM:
python3-celery-5.0.5-1.1.mga8

Comment 4 Herman Viaene 2022-01-18 14:47:40 CET

Sorry, the following package cannot be selected:

- python3-celery-5.0.5-1.1.mga8.noarch (because of unfulfilled python3.8dist(billiard)[>= 3.6.3])

CC: (none) => herman.viaene

Comment 5 David Walser 2022-01-18 23:09:43 CET

Doesn't look like the patch did that; must have already been broken.  Strange.

Assignee: qa-bugs => python

Comment 6 Nicolas Lécureuil 2022-01-20 12:49:39 CET

just pushed a new python-billiard

src:
    - python-billiard-3.6.4.0-1.mga8

Assignee: python => qa-bugs

Comment 7 David Walser 2022-01-20 17:21:30 CET

RPM:
python3-billiard-3.6.4.0-1.mga8

Comment 8 Herman Viaene 2022-01-24 16:09:17 CET

MGA8-64 Plasma on Lenovo B50 IN Dutch
Installed both python3-billiard and python3-celery
Reading "An open source asynchronous task queue/job queue based on distributed message passing. It is focused on real-time operation, but supports scheduling as well.
The execution units, called tasks, are executed concurrently on one or more worker nodes using multiprocessing, Eventlet or gevent. Tasks can execute asynchronously (in the background) or synchronously (wait until ready)."
So this is developers stuff, OK on clean iinstall.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-01-24 21:00:30 CET

Validating. Please make sure both python-celery and python-billiard are pushed.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Dave Hodgins 2022-01-24 22:52:55 CET

What about python-kombu mentioned in comment 1?

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 11 David Walser 2022-01-25 00:38:46 CET

Kombu only needed a corresponding update in Cauldron and Nicolas updated it.

Keywords: feedback => (none)

Dave Hodgins 2022-01-25 03:48:15 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-01-25 13:14:19 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0029.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED