Bug 31420

Ubuntu has issued an advisory for this on January 24:
https://ubuntu.com/security/notices/USN-5821-1

Severity: normal => major

(In reply to David Walser from comment #1)
> Ubuntu has issued an advisory for this on January 24:
> https://ubuntu.com/security/notices/USN-5821-1

Regression fix:
https://ubuntu.com/security/notices/USN-5821-3

patch added for both mga8 and cauldron!


Packages in 9/Core/Updates_testing:
======================
python-wheel-wheel-0.37.1-2.mga9.noarch.rpm
python3-wheel-0.37.1-2.mga9.noarch.rpm

Packages in 8/Core/Updates_testing:
======================
python-wheel-wheel-0.35.1-2.1.mga8.noarch.rpm
python3-wheel-0.35.1-2.1.mga8.noarch.rpm


From SRPMS:
python-wheel-0.37.1-2.mga9.src.rpm
python-wheel-0.35.1-2.1.mga8.src.rpm

Assignee: python => qa-bugs
Status comment: Patch available from openSUSE => (none)
CC: (none) => geiger.david68210

Mageia8, x86_64

Introduction at https://realpython.com/python-wheels/#what-is-a-python-wheel

Before updating:
lcl@canopus:python $ pushd "$(mktemp -d)"
/tmp/tmp.lHY6KSHdJF ~/qa/python
lcl@canopus:tmp.lHY6KSHdJF $ sudo urpmi python-pip
lcl@canopus:tmp.lHY6KSHdJF $ python -m pip download --only-binary :all: --dest . --no-cache six
Collecting six
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Saved ./six-1.16.0-py2.py3-none-any.whl
Successfully downloaded six
lcl@canopus:tmp.lHY6KSHdJF $ ls
six-1.16.0-py2.py3-none-any.whl

So far so good.
Updated the two packages.

lcl@canopus:tmp.lHY6KSHdJF $ unzip six-1.16.0-py2.py3-none-any.whl
Archive:  six-1.16.0-py2.py3-none-any.whl
  inflating: six.py                  
  inflating: six-1.16.0.dist-info/LICENSE  
  inflating: six-1.16.0.dist-info/METADATA  
  inflating: six-1.16.0.dist-info/WHEEL  
  inflating: six-1.16.0.dist-info/top_level.txt  
  inflating: six-1.16.0.dist-info/RECORD

Tried installing six:

$ python -m pip install --only-binary :all: --no-cache six
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: six in /usr/lib/python3.8/site-packages (1.15.0)

Installed yarl from scratch:

$ python -m pip install --only-binary :all: yarl
Defaulting to user installation because normal site-packages is not writeable
Collecting yarl
  Downloading yarl-1.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (266 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 266.9/266.9 KB 4.8 MB/s eta 0:00:00
Collecting multidict>=4.0
  Downloading multidict-6.0.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (121 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.3/121.3 KB 11.8 MB/s eta 0:00:00
Requirement already satisfied: idna>=2.0 in /usr/lib/python3.8/site-packages (from yarl) (2.10)
Installing collected packages: multidict, yarl
Successfully installed multidict-6.0.4 yarl-1.9.2

multidict dependency installed OK.
Since this is a user install the packages can be found in ~/.local/lib/python3.8/site-packages/
$ cd .local/lib/python3.8/site-packages/
lcl@canopus:site-packages $ ls
easygui/                   multidict/                  yarl/
easygui-0.98.2.dist-info/  multidict-6.0.4.dist-info/  yarl-1.9.2.dist-info/

Looks like this is working OK.
Note that the specification includes support for different platforms and architectures  and for various compilers where binaries need to be built.  I did not follow that up, nor was I able to chase the regression related to python-pip (CVE-2022-40898).  The CVE contains this notice:
"the python-pip package bundles wheel binaries when built.
After updating wheel, a no-change rebuild of python-pip is
required."

CC: (none) => tarazed25
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

package moved to Core/Release for cauldron!

Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OK
Version: Cauldron => 8

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0218.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED