Bug 31000

Summary: python, python3 new security issues CVE-2022-45061, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329 and CVE-2023-40217
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, jani.valimaa, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-2.7.18-15.mga9.src.rpm, python3-3.10.11-1.mga9.src.rpm CVE: CVE-2022-45061, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329 and CVE-2023-40217
Status comment:
Bug Depends on:    
Bug Blocks: 30043    

David Walser 2022-10-21 20:04:24 CEST

Status comment: (none) => Fixed upstream in 3.8.15 and 3.10.8
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-10-31 15:55:27 CET 
*** Bug 31052 has been marked as a duplicate of this bug. ***

CC: (none) => jani.valimaa

Comment 2 David Walser 2022-10-31 15:56:38 CET 
Updated packages uploaded for Mageia 8 and Cauldron by Jani.

SRPMS:
python3-3.8.15-1.mga8

RPMS:
python3-3.8.15-1.mga8
lib(64)python3.8-3.8.15-1.mga8
lib(64)python3.8-stdlib-3.8.15-1.mga8
lib(64)python3.8-testsuite-3.8.15-1.mga8
lib(64)python3-devel-3.8.15-1.mga8
python3-docs-3.8.15-1.mga8
tkinter3-3.8.15-1.mga8
tkinter3-apps-3.8.15-1.mga8

Assignee: python => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 3.8.15 and 3.10.8 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2022-11-02 21:36:44 CET 
Debian-LTS has issued an advisory on November 1:
https://www.debian.org/lts/security/2022/dla-3175

This issue was just patched upstream for 3.8.x and 3.10.x here:
https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631
https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3

Assignee: qa-bugs => python
Summary: python3 new security issues pythongh-97612 and pythongh-97612 => python3 new security issues pythongh-97612, pythongh-97612, and CVE-2022-37454
Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO

Comment 4 David Walser 2022-11-02 22:23:12 CET 
Fedora has issued an advisory today (November 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DIREH3ZBHSDX4KIUHBDEIDZDL2DD2YJ7/

This was also just patched upstream in 3.10.x here:
https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2

3.8.x is not affected.

Severity: normal => critical
Summary: python3 new security issues pythongh-97612, pythongh-97612, and CVE-2022-37454 => python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, and CVE-2022-42919

Comment 5 David Walser 2022-11-04 17:22:46 CET 
(In reply to David Walser from comment #4)
> Fedora has issued an advisory today (November 2):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/DIREH3ZBHSDX4KIUHBDEIDZDL2DD2YJ7/
> 
> This was also just patched upstream in 3.10.x here:
> https://github.com/python/cpython/commit/
> eae692eed18892309bcc25a2c0f8980038305ea2
> 
> 3.8.x is not affected.

Ubuntu has issued an advisory for this on November 3:
https://ubuntu.com/security/notices/USN-5713-1
Comment 6 David Walser 2022-11-16 18:07:36 CET 
SUSE has issued an advisory on November 15:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.html

The issue will be fixed upstream in 3.8.16 and 3.10.9.

python (2.7) is also affected by this issue.

Summary: python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, and CVE-2022-42919 => python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061

Comment 7 David Walser 2022-11-16 18:20:10 CET 
(In reply to David Walser from comment #6)
> SUSE has issued an advisory on November 15:
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> html
> 
> The issue will be fixed upstream in 3.8.16 and 3.10.9.
> 
> python (2.7) is also affected by this issue.

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FC7VVR3A5T3JHINGEUF7BTIKKBAVZ3HU/
Comment 8 David Walser 2022-11-21 22:57:17 CET 
(In reply to David Walser from comment #3)
> Debian-LTS has issued an advisory on November 1:
> https://www.debian.org/lts/security/2022/dla-3175
> 
> This issue was just patched upstream for 3.8.x and 3.10.x here:
> https://github.com/python/cpython/commit/
> 948c6794711458fd148a3fa62296cadeeb2ed631
> https://github.com/python/cpython/commit/
> 0e4e058602d93b88256ff90bbef501ba20be9dd3

Fedora has issued an advisory for this issue on November 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OP4YR722EEPYGRLLN4PAOL2VW3XB4BGP/
Comment 9 David Walser 2022-11-23 21:00:37 CET 
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #3)
> > Debian-LTS has issued an advisory on November 1:
> > https://www.debian.org/lts/security/2022/dla-3175
> > 
> > This issue was just patched upstream for 3.8.x and 3.10.x here:
> > https://github.com/python/cpython/commit/
> > 948c6794711458fd148a3fa62296cadeeb2ed631
> > https://github.com/python/cpython/commit/
> > 0e4e058602d93b88256ff90bbef501ba20be9dd3
> 
> Fedora has issued an advisory for this issue on November 20:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/OP4YR722EEPYGRLLN4PAOL2VW3XB4BGP/

python3.8 reference for this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LT3SVWZEUVDGEVP75UGJGE4Q34DY66MM/
Comment 10 David Walser 2022-11-30 17:48:51 CET 
(In reply to David Walser from comment #6)
> SUSE has issued an advisory on November 15:
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> html
> 
> The issue will be fixed upstream in 3.8.16 and 3.10.9.
> 
> python (2.7) is also affected by this issue.

SUSE advisory for CVE-2022-45061 for python (2.7) from November 29:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013144.html
Comment 11 David Walser 2022-11-30 18:10:54 CET 
(In reply to David Walser from comment #6)
> SUSE has issued an advisory on November 15:
> https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> html
> 
> The issue will be fixed upstream in 3.8.16 and 3.10.9.
> 
> python (2.7) is also affected by this issue.

Fedora advisory for this issue for python3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/
Comment 12 David Walser 2022-12-09 17:36:56 CET 
Ubuntu has issued an advisory for two of these issues on December 8:
https://ubuntu.com/security/notices/USN-5767-1
Comment 13 David Walser 2022-12-09 18:03:04 CET 
(In reply to David Walser from comment #11)
> (In reply to David Walser from comment #6)
> > SUSE has issued an advisory on November 15:
> > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> > html
> > 
> > The issue will be fixed upstream in 3.8.16 and 3.10.9.
> > 
> > python (2.7) is also affected by this issue.
> 
> Fedora advisory for this issue for python3:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/

python3.8 reference for this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/
Comment 14 David Walser 2023-01-10 16:04:30 CET 
(In reply to David Walser from comment #11)
> (In reply to David Walser from comment #6)
> > SUSE has issued an advisory on November 15:
> > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> > html
> > 
> > The issue will be fixed upstream in 3.8.16 and 3.10.9.
> > 
> > python (2.7) is also affected by this issue.
> 
> Fedora advisory for this issue for python3:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/

Fedora advisory for python2.7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/
Comment 15 David Walser 2023-03-02 23:23:37 CET 
Ubuntu has issued an advisory for some of these issues and a new one on February 27:
https://ubuntu.com/security/notices/USN-5888-1

The new issue is fixed upstream in 3.11.

Summary: python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061 => python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2023-24329

Comment 16 David Walser 2023-03-09 17:50:19 CET 
(In reply to David Walser from comment #3)
> Debian-LTS has issued an advisory on November 1:
> https://www.debian.org/lts/security/2022/dla-3175
> 
> This issue was just patched upstream for 3.8.x and 3.10.x here:
> https://github.com/python/cpython/commit/
> 948c6794711458fd148a3fa62296cadeeb2ed631
> https://github.com/python/cpython/commit/
> 0e4e058602d93b88256ff90bbef501ba20be9dd3

Ubuntu has issued advisories for this on March 6 and 7:
https://ubuntu.com/security/notices/USN-5767-3
https://ubuntu.com/security/notices/USN-5930-1
https://ubuntu.com/security/notices/USN-5931-1
Comment 17 David Walser 2023-03-15 15:39:24 CET 
(In reply to David Walser from comment #15)
> Ubuntu has issued an advisory for some of these issues and a new one on
> February 27:
> https://ubuntu.com/security/notices/USN-5888-1
> 
> The new issue is fixed upstream in 3.11.

SUSE advisory for CVE-2023-24329 for python (2.7) from March 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014033.html

Source RPM: python3-3.10.7-4.mga9.src.rpm => python-2.7.18-15.mga9.src.rpm, python3-3.10.7-4.mga9.src.rpm
Summary: python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2023-24329 => python, python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2023-24329

Comment 18 David Walser 2023-03-30 23:46:02 CEST 
(In reply to David Walser from comment #15)
> Ubuntu has issued an advisory for some of these issues and a new one on
> February 27:
> https://ubuntu.com/security/notices/USN-5888-1
> 
> The new issue is fixed upstream in 3.11.

Fedora has issued an advisory for this today (March 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
David Walser 2023-05-18 17:58:16 CEST

Blocks: (none) => 30043

Comment 19 David Walser 2023-05-18 18:01:13 CEST 
(In reply to David Walser from comment #14)
> (In reply to David Walser from comment #11)
> > (In reply to David Walser from comment #6)
> > > SUSE has issued an advisory on November 15:
> > > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012937.
> > > html
> > > 
> > > The issue will be fixed upstream in 3.8.16 and 3.10.9.
> > > 
> > > python (2.7) is also affected by this issue.
> > 
> > Fedora advisory for this issue for python3:
> > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > fedoraproject.org/thread/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/
> 
> Fedora advisory for python2.7:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/

RedHat advisories for CVE-2022-45061 for python3 and python2.7 from May 16:
https://access.redhat.com/errata/RHSA-2023:2763
https://access.redhat.com/errata/RHSA-2023:2860
Comment 20 David Walser 2023-06-12 22:00:17 CEST 
(In reply to David Walser from comment #18)
> (In reply to David Walser from comment #15)
> > Ubuntu has issued an advisory for some of these issues and a new one on
> > February 27:
> > https://ubuntu.com/security/notices/USN-5888-1
> > 
> > The new issue is fixed upstream in 3.11.
> 
> Fedora has issued an advisory for this today (March 30):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/

RedHat advisory for this for python (2.7) from June 9:
https://access.redhat.com/errata/RHSA-2023:3556
Comment 21 David Walser 2023-06-14 21:58:02 CEST 
(In reply to David Walser from comment #20)
> (In reply to David Walser from comment #18)
> > (In reply to David Walser from comment #15)
> > > Ubuntu has issued an advisory for some of these issues and a new one on
> > > February 27:
> > > https://ubuntu.com/security/notices/USN-5888-1
> > > 
> > > The new issue is fixed upstream in 3.11.
> > 
> > Fedora has issued an advisory for this today (March 30):
> > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
> 
> RedHat advisory for this for python (2.7) from June 9:
> https://access.redhat.com/errata/RHSA-2023:3556

RedHat has issued an advisory for python3 for this today (June 14):
https://access.redhat.com/errata/RHSA-2023:3591
Comment 22 David Walser 2023-06-20 14:53:10 CEST 
(In reply to David Walser from comment #21)
> (In reply to David Walser from comment #20)
> > (In reply to David Walser from comment #18)
> > > (In reply to David Walser from comment #15)
> > > > Ubuntu has issued an advisory for some of these issues and a new one on
> > > > February 27:
> > > > https://ubuntu.com/security/notices/USN-5888-1
> > > > 
> > > > The new issue is fixed upstream in 3.11.
> > > 
> > > Fedora has issued an advisory for this today (March 30):
> > > https://lists.fedoraproject.org/archives/list/package-announce@lists.
> > > fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
> > 
> > RedHat advisory for this for python (2.7) from June 9:
> > https://access.redhat.com/errata/RHSA-2023:3556
> 
> RedHat has issued an advisory for python3 for this today (June 14):
> https://access.redhat.com/errata/RHSA-2023:3591

Ubuntu has issued an advisory for this on June 5 (both python versions):
https://ubuntu.com/security/notices/USN-6139-1
Nicolas Salguero 2024-03-19 10:36:11 CET

CC: (none) => nicolas.salguero
Source RPM: python-2.7.18-15.mga9.src.rpm, python3-3.10.7-4.mga9.src.rpm => python-2.7.18-15.mga9.src.rpm, python3-3.10.11-1.mga9.src.rpm
Whiteboard: MGA8TOO => MGA9TOO
CVE: (none) => CVE-2022-45061, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329 and CVE-2023-40217
Summary: python, python3 new security issues pythongh-97612, pythongh-97612, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2023-24329 => python, python3 new security issues CVE-2022-45061, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329 and CVE-2023-40217

Comment 23 Nicolas Salguero 2024-03-19 12:02:24 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. (CVE-2022-45061)

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. (CVE-2022-48565)

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. (CVE-2022-48566)

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. (CVE-2023-24329)

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket). (CVE-2023-40217)

References:
https://ubuntu.com/security/notices/USN-5888-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
https://access.redhat.com/errata/RHSA-2023:2763
https://access.redhat.com/errata/RHSA-2023:2860
https://access.redhat.com/errata/RHSA-2023:3556
https://access.redhat.com/errata/RHSA-2023:3591
https://ubuntu.com/security/notices/USN-6139-1
========================

Updated packages in core/updates_testing:
========================
lib(64)python2.7-2.7.18-15.1.mga9
lib(64)python2.7-stdlib-2.7.18-15.1.mga9
lib(64)python2.7-testsuite-2.7.18-15.1.mga9
lib(64)python-devel-2.7.18-15.1.mga9
python-2.7.18-15.1.mga9
python-docs-2.7.18-15.1.mga9

lib(64)python3.10-3.10.11-1.1.mga9
lib(64)python3.10-stdlib-3.10.11-1.1.mga9
lib(64)python3.10-testsuite-3.10.11-1.1.mga9
lib(64)python3-devel-3.10.11-1.1.mga9
python3-3.10.11-1.1.mga9
python3-docs-3.10.11-1.1.mga9
tkinter3-3.10.11-1.1.mga9
tkinter3-apps-3.10.11-1.1.mga9

from SRPMS:
python-2.7.18-15.1.mga9.src.rpm
python3-3.10.11-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: python => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED

katnatek 2024-03-19 19:53:19 CET

Keywords: (none) => advisory

Comment 24 katnatek 2024-03-20 18:40:33 CET 
RH mageia 9 x86_64

Just have python3 packages

installing lib64python3.10-3.10.11-1.1.mga9.x86_64.rpm python3-3.10.11-1.1.mga9.x86_64.rpm tkinter3-3.10.11-1.1.mga9.x86_64.rpm lib64python3.10-stdlib-3.10.11-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/4: python3               ######################################################################################
      2/4: lib64python3.10-stdlib
                                 ######################################################################################
      3/4: lib64python3.10       ######################################################################################
      4/4: tkinter3              ######################################################################################
      1/4: removing tkinter3-3.10.11-1.mga9.x86_64
                                 ######################################################################################
      2/4: removing python3-3.10.11-1.mga9.x86_64
                                 ######################################################################################
      3/4: removing lib64python3.10-3.10.11-1.mga9.x86_64
                                 ######################################################################################
      4/4: removing lib64python3.10-stdlib-3.10.11-1.mga9.x86_64
                                 ######################################################################################

Test 2 python3 applications without issues
Comment 25 katnatek 2024-03-20 18:50:44 CET 
RH mageia 9 x86_64

install current python2 packages

LC_ALL=C urpmi python2 lib64python2.7-testsuite lib64python-devel
In order to satisfy the 'python-docs' dependency, one of the following packages is needed:
 1- python3-docs-3.10.11-1.mga9.noarch: Documentation for the Python programming language (to install)
 2- python-docs-2.7.18-15.mga9.noarch: Documentation for the Python programming language (to install)
What is your choice? (1-2) 2
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64python-devel              2.7.18       15.mga9       x86_64  
  lib64python2.7                 2.7.18       15.mga9       x86_64  
  lib64python2.7-stdlib          2.7.18       15.mga9       x86_64  
  lib64python2.7-testsuite       2.7.18       15.mga9       x86_64  
  python                         2.7.18       15.mga9       x86_64  
  python-docs                    2.7.18       15.mga9       noarch  (recommended)
  python2-rpm-macros             3.10         6.mga9        noarch  
93MB of additional disk space will be used.
17MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64python2.7-stdlib-2.7.18-15.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python-docs-2.7.18-15.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64python2.7-2.7.18-15.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python-2.7.18-15.mga9.x86_64.rpm   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64python2.7-testsuite-2.7.18-15.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64python-devel-2.7.18-15.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python2-rpm-macros-3.10-6.mga9.noarch.rpm
installing lib64python2.7-stdlib-2.7.18-15.mga9.x86_64.rpm lib64python2.7-testsuite-2.7.18-15.mga9.x86_64.rpm lib64python-devel-2.7.18-15.mga9.x86_64.rpm python2-rpm-macros-3.10-6.mga9.noarch.rpm python-2.7.18-15.mga9.x86_64.rpm lib64python2.7-2.7.18-15.mga9.x86_64.rpm python-docs-2.7.18-15.mga9.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     ######################################################################################
      1/7: python2-rpm-macros    ######################################################################################
      2/7: python                ######################################################################################
      3/7: lib64python2.7        ######################################################################################
      4/7: lib64python2.7-stdlib ######################################################################################
      5/7: lib64python2.7-testsuite
                                 ######################################################################################
      6/7: python-docs           ######################################################################################
      7/7: lib64python-devel     ######################################################################################

update to testing versions

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing lib64python2.7-2.7.18-15.1.mga9.x86_64.rpm lib64python-devel-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64.rpm python-docs-2.7.18-15.1.mga9.noarch.rpm python-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/6: python                ######################################################################################
      2/6: lib64python2.7-stdlib ######################################################################################
      3/6: lib64python2.7        ######################################################################################
      4/6: lib64python2.7-testsuite
                                 ######################################################################################
      5/6: python-docs           ######################################################################################
      6/6: lib64python-devel     ######################################################################################
      1/6: removing lib64python-devel-2.7.18-15.mga9.x86_64
                                 ######################################################################################
      2/6: removing python-docs-2.7.18-15.mga9.noarch
                                 ######################################################################################
      3/6: removing lib64python2.7-testsuite-2.7.18-15.mga9.x86_64
                                 ######################################################################################
      4/6: removing python-2.7.18-15.mga9.x86_64
                                 ######################################################################################
      5/6: removing lib64python2.7-stdlib-2.7.18-15.mga9.x86_64
                                 ######################################################################################
      6/6: removing lib64python2.7-2.7.18-15.mga9.x86_64
                                 ######################################################################################

remove packages

LC_ALL=C urpme $(rpm -qa|grep 2.7.18-15)
removing lib64python-devel-2.7.18-15.1.mga9.x86_64 lib64python2.7-2.7.18-15.1.mga9.x86_64 lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64 lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64 python-2.7.18-15.1.mga9.x86_64 python-docs-2.7.18-15.1.mga9.noarch
removing package lib64python-devel-2.7.18-15.1.mga9.x86_64
      1/6: removing lib64python-devel-2.7.18-15.1.mga9.x86_64
                                 ######################################################################################
removing package python-docs-2.7.18-15.1.mga9.noarch
      2/6: removing python-docs-2.7.18-15.1.mga9.noarch
                                 ######################################################################################
removing package lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64
      3/6: removing lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64
                                 ######################################################################################
removing package lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64
      4/6: removing lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64
                                 ######################################################################################
removing package python-2.7.18-15.1.mga9.x86_64
      5/6: removing python-2.7.18-15.1.mga9.x86_64
                                 ######################################################################################
removing package lib64python2.7-2.7.18-15.1.mga9.x86_64
      6/6: removing lib64python2.7-2.7.18-15.1.mga9.x86_64
                                 ######################################################################################
writing /var/lib/rpm/installed-through-deps.list

The following package:
  python2-rpm-macros-3.10-6.mga9.noarch
is now orphaned, if you wish to remove it, you can use "urpme --auto-orphans"

LC_ALL=C urpme python2-rpm-macros-3.10-6.mga9.noarch
removing python2-rpm-macros-3.10-6.mga9.noarch
removing package python2-rpm-macros-3.10-6.mga9.noarch
      1/1: removing python2-rpm-macros-3.10-6.mga9.noarch
                                 ######################################################################################

Not issues detected
Comment 26 Len Lawrence 2024-03-20 19:00:18 CET 
Thanks katnatek.
I have been working on this a while so shall add this report, also for python3.

mga9, x64
CVE-2022-45061
https://github.com/python/cpython/issues/98433

Not a python programmer but tried the code fragment from that page before and after the update.  The output after
the exception was raised looked identical so no specific conclusions can be drawn apart
from the fact that the label size is restricted.  We see this earlier in the report:
"Python's idna module enforces the restriction, but too late"
So, we cannot tell if the "too late" problem has been addressed.  I do not really
understand what it means.

Might follow up the other CVEs on another system later.

Ran a quick test of VirtualBox - OK.

Installed onboard and ran it from the commandline under strace.  It presented an
on-screen keyboard which transferred output to a nearby Mate terminal on clicking
Return.  It was possible to launch applications via the terminal also.  The menu button
worked, SWITCH CASE, switch numbers and symbol keys and quit.

Played with blender under strace.  Saved an image of the cube with correct
illumination.

The three trace files contained numerous references to /usr/lib64/python3.10.

Looks good.  Might try python2 later.

CC: (none) => tarazed25

Comment 27 Len Lawrence 2024-03-22 19:05:56 CET 
The base python2 packages were already installed.  Updated without issues.
Respecting comment 6, tried the async.py test as a PoC but it does not compile for python2.7.
It is a bit more of a problem to find packages which depend on python2.7 given that python3 is now the default.
$ urpmq --whatrequires-recursive python | uniq
lib64python-devel
lib64python2.7
lib64python2.7-stdlib
lib64python2.7-testsuite
lsb-lib64
lsb-noarch
lsb-test
python
python-docs

Installed lsb-test.  At a guess lsb stands for Linux Standard Base. Most of the  dependencies are concerned with locales.  No man page.
Found this:
https://wiki.yoctoproject.org/wiki/images/a/a2/LSB_Test.pdf 
but it may not be the same thing.  It involves a lot of work to set up.  The LSB may refer to Least Significant Bit.  Too much guesswork.

$ sudo updatedb
$ locate lsb-test
$

testsuite looks like a module or framework for tests in python code.  There are examples on StackOverflow.
https://stackoverflow.com/questions/6993711/testsuite-with-testsuites-and-testcases?rq=3

So, nothing that I care to tackle so letting this go on the basis of a clean update.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-03-22 19:43:16 CET

CC: (none) => andrewsfarm

Comment 28 katnatek 2024-03-22 19:44:24 CET 
Some test performed by Len & me , I hope is enough
Comment 29 Thomas Andrews 2024-03-22 22:22:25 CET 
I don't know what else we might do.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 30 Mageia Robot 2024-03-23 02:01:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0084.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED