Bug 30663

Summary:	python-ujson new security issues CVE-2022-31116 and CVE-2022-31117
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	python-ujson-5.3.0-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-07-23 17:32:22 CEST

Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/

The issues are fixed upstream in 5.4.0:
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff

Mageia 8 is also affected.

David Walser 2022-07-23 17:32:39 CEST

Status comment: (none) => Fixed upstream in 5.4.0
Whiteboard: (none) => MGA8TOO
CC: (none) => yves.brungard_mageia

Comment 1 David Walser 2022-07-24 04:59:48 CEST

python-ujson-5.4.0-1.mga9 uploaded for Cauldron by papoteur.

Source RPM: python-ujson-5.3.0-1.mga9.src.rpm => python-ujson-5.3.0-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 papoteur 2022-07-24 10:30:14 CEST

Update is ready in testing:
python3-ujson-5.4.0-1.mga8

Source:
python-ujson-5.4.0-1.mga8.src.rpm

Status comment: Fixed upstream in 5.4.0 => (none)
Assignee: python => qa-bugs

Comment 3 Herman Viaene 2022-07-26 10:56:24 CEST

MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 30502 for test
$ python3 testujson.py 
a type: <class 'dict'>
b variable: <class 'str'>
{"name":"Horseman","age":"21","city":"Mumbai"}
{
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
}
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}
Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-07-29 03:43:25 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-07-29 20:31:53 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-07-29 22:54:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0270.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED