| Summary: | python3 and python new security issues CVE-2023-6597 and CVE-2024-0450 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | python3-3.10.11-1.1.mga9.src.rpm, python-2.7.18-15.1.mga9.src.rpm | CVE: | CVE-2023-6597, CVE-2024-0450 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-03-21 16:55:53 CET
Nicolas Salguero
2024-03-21 16:56:53 CET
Status comment:
(none) =>
Patches available from upstream There is a lot of info on that page, and various versions mentioned. Assignee:
bugsquad =>
python Debian has issued an advisory on March 24: https://lwn.net/Articles/966564/ Python 2.7 is affected by CVE-2024-0450. Summary:
python3 new security issues CVE-2023-6597 and CVE-2024-0450 =>
python3 and python new security issues CVE-2023-6597 and CVE-2024-0450 Those CVEs are already fixed in version 3.12.2 so python3 in Cauldron is not affected. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. (CVE-2023-6597) The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450) References: https://www.openwall.com/lists/oss-security/2024/03/20/5 https://lwn.net/Articles/966564/ ======================== Updated packages in core/updates_testing: ======================== lib(64)python2.7-2.7.18-15.2.mga9 lib(64)python2.7-stdlib-2.7.18-15.2.mga9 lib(64)python2.7-testsuite-2.7.18-15.2.mga9 lib(64)python-devel-2.7.18-15.2.mga9 python-2.7.18-15.2.mga9 python-docs-2.7.18-15.2.mga9 lib(64)python3.10-3.10.11-1.2.mga9 lib(64)python3.10-stdlib-3.10.11-1.2.mga9 lib(64)python3.10-testsuite-3.10.11-1.2.mga9 lib(64)python3-devel-3.10.11-1.2.mga9 python3-3.10.11-1.2.mga9 python3-docs-3.10.11-1.2.mga9 tkinter3-3.10.11-1.2.mga9 tkinter3-apps-3.10.11-1.2.mga9 from SRPMS: python-2.7.18-15.2.mga9.src.rpm python3-3.10.11-1.2.mga9.src.rpm Assignee:
python =>
qa-bugs
katnatek
2024-03-26 17:58:51 CET
Keywords:
(none) =>
advisory RH mageia 9 x86_64
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing python3-3.10.11-1.2.mga9.x86_64.rpm lib64python3.10-stdlib-3.10.11-1.2.mga9.x86_64.rpm tkinter3-3.10.11-1.2.mga9.x86_64.rpm lib64python3.10-3.10.11-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/4: lib64python3.10 ##################################################################################################
2/4: python3 ##################################################################################################
3/4: lib64python3.10-stdlib
##################################################################################################
4/4: tkinter3 ##################################################################################################
1/4: removing tkinter3-3.10.11-1.1.mga9.x86_64
##################################################################################################
2/4: removing lib64python3.10-stdlib-3.10.11-1.1.mga9.x86_64
##################################################################################################
3/4: removing python3-3.10.11-1.1.mga9.x86_64
##################################################################################################
4/4: removing lib64python3.10-3.10.11-1.1.mga9.x86_64
##################################################################################################
Test 3 python3 applications without issues
RH mageia 9 x86_64
Test install current, update to testing and remove python packages
LC_ALL=C urpmi python lib64python2.7-testsuite lib64python-devel lib64python2.7-stdlib python-docs
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release (distrib1)")
python2-rpm-macros 3.10 6.mga9 noarch
(medium "Core Updates (distrib3)")
lib64python-devel 2.7.18 15.1.mga9 x86_64
lib64python2.7 2.7.18 15.1.mga9 x86_64
lib64python2.7-stdlib 2.7.18 15.1.mga9 x86_64
lib64python2.7-testsuite 2.7.18 15.1.mga9 x86_64
python 2.7.18 15.1.mga9 x86_64
python-docs 2.7.18 15.1.mga9 noarch
93MB of additional disk space will be used.
17MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python2-rpm-macros-3.10-6.mga9.noarch.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python-2.7.18-15.1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python-devel-2.7.18-15.1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python-docs-2.7.18-15.1.mga9.noarch.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-2.7.18-15.1.mga9.x86_64.rpm
installing lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64.rpm python2-rpm-macros-3.10-6.mga9.noarch.rpm python-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-2.7.18-15.1.mga9.x86_64.rpm python-docs-2.7.18-15.1.mga9.noarch.rpm lib64python-devel-2.7.18-15.1.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing... ##################################################################################################
1/7: python2-rpm-macros ##################################################################################################
2/7: python ##################################################################################################
3/7: lib64python2.7 ##################################################################################################
4/7: lib64python2.7-stdlib ##################################################################################################
5/7: lib64python2.7-testsuite
##################################################################################################
6/7: python-docs ##################################################################################################
7/7: lib64python-devel ##################################################################################################
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date
medium "MLO_core (MLO1)" is up-to-date
medium "MLO_nonfree (MLO2)" is up-to-date
medium "MLO_tainted (MLO3)" is up-to-date
installing python-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-2.7.18-15.2.mga9.x86_64.rpm python-docs-2.7.18-15.2.mga9.noarch.rpm lib64python-devel-2.7.18-15.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/6: lib64python2.7 ##################################################################################################
2/6: python ##################################################################################################
3/6: lib64python2.7-stdlib ##################################################################################################
4/6: lib64python2.7-testsuite
##################################################################################################
5/6: python-docs ##################################################################################################
6/6: lib64python-devel ##################################################################################################
1/6: removing lib64python-devel-2.7.18-15.1.mga9.x86_64
##################################################################################################
2/6: removing python-docs-2.7.18-15.1.mga9.noarch
##################################################################################################
3/6: removing lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64
##################################################################################################
4/6: removing lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64
##################################################################################################
5/6: removing python-2.7.18-15.1.mga9.x86_64
##################################################################################################
6/6: removing lib64python2.7-2.7.18-15.1.mga9.x86_64
##################################################################################################
LC_ALL=C urpme $(rpm -qa|grep 2.7.18-15.2)
removing lib64python-devel-2.7.18-15.2.mga9.x86_64 lib64python2.7-2.7.18-15.2.mga9.x86_64 lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64 lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64 python-2.7.18-15.2.mga9.x86_64 python-docs-2.7.18-15.2.mga9.noarch
removing package lib64python-devel-2.7.18-15.2.mga9.x86_64
1/6: removing lib64python-devel-2.7.18-15.2.mga9.x86_64
##################################################################################################
removing package python-docs-2.7.18-15.2.mga9.noarch
2/6: removing python-docs-2.7.18-15.2.mga9.noarch
##################################################################################################
removing package lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64
3/6: removing lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64
##################################################################################################
removing package lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64
4/6: removing lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64
##################################################################################################
removing package python-2.7.18-15.2.mga9.x86_64
5/6: removing python-2.7.18-15.2.mga9.x86_64
##################################################################################################
removing package lib64python2.7-2.7.18-15.2.mga9.x86_64
6/6: removing lib64python2.7-2.7.18-15.2.mga9.x86_64
##################################################################################################
writing /var/lib/rpm/installed-through-deps.list
The following package:
python2-rpm-macros-3.10-6.mga9.noarch
is now orphaned, if you wish to remove it, you can use "urpme --auto-orphans"
LC_ALL=C urpme python2-rpm-macros
removing python2-rpm-macros-3.10-6.mga9.noarch
removing package python2-rpm-macros-3.10-6.mga9.noarch
1/1: removing python2-rpm-macros-3.10-6.mga9.noarch
##################################################################################################
MGA9-64 Plasma wayland on HP-Pavillion No installation issues. Following wiki with the remark the files have been moved. $ python /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py Type in the string to be parsed or 'quit' to exit the program > 123 + 456 579 > a=2 2 > b=3 3 > a*b 6 > quit Good bye! $ python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py Type in the string to be parsed or 'quit' to exit the program > 123 + 456 579 > a=2 2 > b=3 3 > a*b 6 > quit Good bye! OK for me. Whiteboard:
(none) =>
MGA9-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0096.html Status:
ASSIGNED =>
RESOLVED |