Bug 31421

Summary: python-setuptools new security issue CVE-2022-40897
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-setuptools-65.5.0-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-01-17 22:58:10 CET 
openSUSE has issued an advisory on January 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WAQKKYI5XTBXPHU7RRPHNAQ7W6ARWJQW/

Mageia 8 is also affected.
David Walser 2023-01-17 22:58:28 CET

Status comment: (none) => Patch available from openSUSE
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-01-23 21:51:16 CET 
Ubuntu has issued an advisory for this today (January 23):
https://ubuntu.com/security/notices/USN-5817-1

The issue is fixed upstream in 65.5.1.

Severity: normal => major

Comment 2 David Walser 2023-02-23 18:02:13 CET 
RedHat has issued an advisory for this on February 21:
https://access.redhat.com/errata/RHSA-2023:0835
Comment 3 David Walser 2023-05-07 01:41:43 CEST 
Fedora has issued an advisory for this on April 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
Comment 4 David GEIGER 2023-06-30 06:16:06 CEST 
patch added for both mga8 and cauldron!


Packages in 9/Core/Updates_testing:
======================
python-setuptools-wheel-65.5.0-3.mga9.noarch.rpm
python3-setuptools-65.5.0-3.mga9.noarch.rpm

Packages in 8/Core/Updates_testing:
======================
python-setuptools-wheel-56.2.0-1.1.mga8.noarch.rpm
python3-setuptools-56.2.0-1.1.mga8.noarch.rpm
python3-pkg-resources-56.2.0-1.1.mga8.noarch.rpm


From SRPMS:
python-setuptools-65.5.0-3.mga9.src.rpm
python-setuptools-56.2.0-1.1.mga8.src.rpm

CC: (none) => geiger.david68210
Assignee: python => qa-bugs

David Walser 2023-06-30 15:45:37 CEST

Status comment: Patch available from openSUSE => (none)

Comment 5 David GEIGER 2023-06-30 16:48:30 CEST 
Packages moved for cauldron!

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 6 Len Lawrence 2023-07-01 18:14:55 CEST 
Mageia8, x86_64

All three packages were already available and updated cleanly.
There are 67 packages in the requires-recursive list but this is developer country so we should simply move it on.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-07-01 22:24:39 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-07-06 22:39:53 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-07-07 07:56:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0219.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED