Bug 31419

Summary: python-future new security issue CVE-2022-40899
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-future-0.18.2-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-01-17 22:50:12 CET 
openSUSE has issued an advisory on January 12:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IGHX26DHDGC7IY7BPCKVDKZVN6LM7RCQ/

Mageia 8 is also affected.
David Walser 2023-01-17 22:50:35 CET

Status comment: (none) => Patch available from openSUSE
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-02-01 17:05:43 CET 
Ubuntu has issued an advisory for this on January 31:
https://ubuntu.com/security/notices/USN-5833-1

The issue is fixed upstream in 0.18.3.

Status comment: Patch available from openSUSE => Fixed upstream in 0.18.3
Severity: normal => major

Comment 2 papoteur 2023-02-02 10:20:13 CET 
Cauldron updated with 0.18.3
Mageia 8 updated in testing  with the same.
python3-future-0.18.3-1.mga8

Source:
python-future-0.18.3-1.mga8

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 0.18.3 => (none)
CC: (none) => yves.brungard_mageia
Version: Cauldron => 8

David Walser 2023-02-02 15:35:50 CET

Assignee: python => qa-bugs

Comment 3 Thomas Andrews 2023-02-05 00:08:31 CET 
Tested in VirtualBox. No installation issues.

No previous updates, so I sought information on the Web, where I came across https://python-future.org/ where on the home page I saw this:

"python-future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead."

Sure sounds like developer territory to me. Scrolling down the documentation's table of contents, it looks like enough there for a good semester college course. All very much beyond the scope of QA.

Calling this OK based on a clean install over the existing version, and it doesn't seem to have made my Vbox guest explode. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-02-06 21:15:37 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-02-07 01:08:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED