Bug 31667

Summary: python-owslib new security issue CVE-2023-27476
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-owslib-0.25.0-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-03-14 02:49:43 CET 
Fedora has issued an advisory today (March 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PYNYFUUI2JO56U35RT7DTZDQDCNCDAMH/

The issue is fixed upstream in 0.28.1:
https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc

Mageia 8 is also affected.
David Walser 2023-03-14 02:49:56 CET

Status comment: (none) => Fixed upstream in 0.28.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-03-14 20:13:11 CET 
Think this is OK to assign to daviddavid, registered packager for python-owslib.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2023-03-14 20:35:09 CET 
Done for both mga8 and Cauldron!

Freeze_move requested for Cauldron!
Comment 3 David Walser 2023-03-15 01:59:34 CET 
Mageia 8 update:
python3-owslib-0.28.1-1.mga8

from python-owslib-0.28.1-1.mga8.src.rpm

Cauldron pending freeze move.
Comment 4 David GEIGER 2023-03-17 02:52:21 CET 
Assigning to QA

Assignee: geiger.david68210 => qa-bugs

David Walser 2023-03-17 02:54:51 CET

Status comment: Fixed upstream in 0.28.1 => (none)
Whiteboard: MGA8TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 8

Comment 5 Len Lawrence 2023-03-18 20:31:20 CET 
Mageia8, x86_64

Installed the release version of the package and qgis which is the only major package which depends on it.  qgis appears to be a framework for the development of specialised web based maps and services involving geolocation and other resources.

The qgis interface launched OK.
Updated the package and checked qgis again.
It launches and shows a news panel and a template panel from which new projects can be developed.

There is little more that can be done with this without a wider knowledge of the subject but it looks useable.  Giving this the go-ahead.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2023-03-18 20:51:53 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-23 23:33:12 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-03-24 06:57:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0112.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED