Bug 29989

Summary: python-nbxmpp new security issue CVE-2021-41055
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-nbxmpp-1.0.2-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-02-02 23:45:33 CET 
Debian has issued an advisory on January 29:
https://www.debian.org/security/2022/dsa-5064

The issue is fixed upstream in 2.0.4.
David Walser 2022-02-02 23:45:53 CET

Status comment: (none) => Fixed upstream in 2.0.4

Comment 1 Lewis Smith 2022-02-04 09:25:13 CET 
Assigning to Python maintainers; CC'ing Sander who has had most to do with 'python-nbxmpp'.

Assignee: bugsquad => python
CC: (none) => mageia

Comment 2 David Walser 2022-05-11 20:27:11 CEST 
Updated package uploaded by papoteur for Mageia 8.

RPM:
python3-nbxmpp-2.0.4-1.mga8

SRPM:
python-nbxmpp-2.0.4-1.mga8.src.rpm

Status comment: Fixed upstream in 2.0.4 => (none)
Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia

Comment 3 Herman Viaene 2022-05-12 15:08:38 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Developer's library, OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 papoteur 2022-05-12 15:31:15 CEST 
Hello,
This lib is used by gajim for XMPP protocol exchanges.
Comment 5 Thomas Andrews 2022-05-13 14:34:03 CEST 
Gajim is an instant messaging app, so it seems we need someone to test with that.

Removing the OK, for now.

I haven't used instant messaging other than on Facebook for years, so I'm out. Any takers?

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8-64-OK => (none)

Thomas Andrews 2022-05-13 19:48:39 CEST

Keywords: validated_update => (none)

Comment 6 Herman Viaene 2022-05-14 11:58:42 CEST 
Created a jabber account, installed gajim and connected with that account.
strace shows refs to python3-nbxmpp. So OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-05-14 15:42:53 CEST 
Thank you, Herman. Validating.

Keywords: (none) => validated_update

Comment 8 Dave Hodgins 2022-05-15 00:09:01 CEST 
Advisory committed to svn as ...
type: security
subject: Updated python-nbxmpp packages fix security vulnerability
CVE:
 - CVE-2021-41055
src:
  8:
   core:
     - python-nbxmpp-2.0.4-1.mga8
description: |
  Missing input sanitising in python-nbxmpp, a Jabber/XMPP Python library,
  could result in denial of service in clients based on it (such as Gajim).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29989
 - https://www.debian.org/security/2022/dsa-5064

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-05-15 12:07:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0179.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED