Bug 33307

Summary:	python-scikit-learn new security issue CVE-2024-5206
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	python-scikit-learn-1.4.2-2.mga10.src.rpm	CVE:	CVE-2024-5206
Status comment:	Fixed upstream in 1.5.0 and patch available from openSUSE and upstream

Description Nicolas Salguero 2024-06-14 15:40:29 CEST

openSUSE has issued an advisory on June 13:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RRNRD64XAZJHFLB6MHKCGUBBVTIA3E7V/

The fix is: https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8

Mageia 9 is also affected.

Nicolas Salguero 2024-06-14 15:41:14 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-5206
Source RPM: (none) => python-scikit-learn-1.4.2-2.mga10.src.rpm
Status comment: (none) => Fixed upstream in 1.5.0 and patch available from openSUSE and upstream

Comment 1 Lewis Smith 2024-06-15 20:40:53 CEST

Note also the fixed new version 1.5.0.

To Python stack maintainers.

Assignee: bugsquad => python

Comment 2 David GEIGER 2024-06-18 06:22:42 CEST

Done for both mga9 and Cauldron adding security patch!

CC: (none) => geiger.david68210
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 3 David GEIGER 2024-06-18 06:24:19 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
python3-scikit-learn-1.1.2-2.1.mga9

From SRPMS:
python-scikit-learn-1.1.2-2.1.mga9.src.rpm

Assignee: python => qa-bugs

katnatek 2024-06-18 19:09:52 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2024-06-19 02:54:34 CEST

RH mageia 9 x86_64

The basic Install current version/update/remove test
 
LC_ALL=C urpmi python3-scikit-learn
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  python3-joblib                 1.2.0        1.mga9        noarch  
  python3-numpy-f2py             1.24.3       1.mga9        x86_64  
  python3-scikit-learn           1.1.2        2.mga9        x86_64  
  python3-threadpoolctl          3.1.0        1.mga9        noarch  
(medium "Core Updates (distrib3)")
  lib64python3-devel             3.10.11      1.2.mga9      x86_64  
  lib64python3.10-testsuite      3.10.11      1.2.mga9      x86_64  (recommended)
  python3-docs                   3.10.11      1.2.mga9      noarch  (recommended)
  python3-scipy                  1.9.1        2.1.mga9      x86_64  
  tkinter3                       3.10.11      1.2.mga9      x86_64  (recommended)
227MB of additional disk space will be used.
44MB of packages will be retrieved.
Proceed with the installation of the 9 packages? (Y/n) y

    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-scikit-learn-1.1.2-2.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-numpy-f2py-1.24.3-1.mga9.x86_64.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-threadpoolctl-3.1.0-1.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-joblib-1.2.0-1.mga9.noarch.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python3-scipy-1.9.1-2.1.mga9.x86_64.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python3-devel-3.10.11-1.2.mga9.x86_64.rpm 
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/tkinter3-3.10.11-1.2.mga9.x86_64.rpm           
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python3-docs-3.10.11-1.2.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64.rpm
installing lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64.rpm python3-numpy-f2py-1.24.3-1.mga9.x86_64.rpm python3-joblib-1.2.0-1.mga9.noarch.rpm python3-threadpoolctl-3.1.0-1.mga9.noarch.rpm python3-scipy-1.9.1-2.1.mga9.x86_64.rpm python3-docs-3.10.11-1.2.mga9.noarch.rpm tkinter3-3.10.11-1.2.mga9.x86_64.rpm lib64python3-devel-3.10.11-1.2.mga9.x86_64.rpm python3-scikit-learn-1.1.2-2.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##################################################################################################
      1/9: tkinter3              ##################################################################################################
      2/9: lib64python3.10-testsuite
                                 ##################################################################################################
      3/9: python3-docs          ##################################################################################################
      4/9: lib64python3-devel    ##################################################################################################
      5/9: python3-numpy-f2py    ##################################################################################################
      6/9: python3-scipy         ##################################################################################################
      7/9: python3-threadpoolctl ##################################################################################################
      8/9: python3-joblib        ##################################################################################################
      9/9: python3-scikit-learn  ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing python3-scikit-learn-1.1.2-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-scikit-learn  ##################################################################################################
      1/1: removing python3-scikit-learn-1.1.2-2.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpme python3-scikit-learn
removing python3-scikit-learn-1.1.2-2.1.mga9.x86_64
removing package python3-scikit-learn-1.1.2-2.1.mga9.x86_64
      1/1: removing python3-scikit-learn-1.1.2-2.1.mga9.x86_64
                                 ##################################################################################################

The following packages:
  lib64python3-devel-3.10.11-1.2.mga9.x86_64
  lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64
  python3-docs-3.10.11-1.2.mga9.noarch
  python3-joblib-1.2.0-1.mga9.noarch
  python3-numpy-f2py-1.24.3-1.mga9.x86_64
  python3-scipy-1.9.1-2.1.mga9.x86_64
  python3-threadpoolctl-3.1.0-1.mga9.noarch
  tkinter3-3.10.11-1.2.mga9.x86_64
are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans"

LC_ALL=C urpme --auto-orphans --auto
removing lib64python3-devel-3.10.11-1.2.mga9.x86_64 lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64 python3-docs-3.10.11-1.2.mga9.noarch python3-joblib-1.2.0-1.mga9.noarch python3-numpy-f2py-1.24.3-1.mga9.x86_64 python3-scipy-1.9.1-2.1.mga9.x86_64 python3-threadpoolctl-3.1.0-1.mga9.noarch tkinter3-3.10.11-1.2.mga9.x86_64
removing package python3-scipy-1.9.1-2.1.mga9.x86_64
      1/8: removing python3-scipy-1.9.1-2.1.mga9.x86_64
                                 ##################################################################################################
removing package python3-numpy-f2py-1:1.24.3-1.mga9.x86_64
      2/8: removing python3-numpy-f2py-1:1.24.3-1.mga9.x86_64
                                 ##################################################################################################
removing package python3-threadpoolctl-3.1.0-1.mga9.noarch
      3/8: removing python3-threadpoolctl-3.1.0-1.mga9.noarch
                                 ##################################################################################################
removing package python3-joblib-1.2.0-1.mga9.noarch
      4/8: removing python3-joblib-1.2.0-1.mga9.noarch
                                 ##################################################################################################
removing package lib64python3-devel-3.10.11-1.2.mga9.x86_64
      5/8: removing lib64python3-devel-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################
removing package python3-docs-3.10.11-1.2.mga9.noarch
      6/8: removing python3-docs-3.10.11-1.2.mga9.noarch
                                 ##################################################################################################
removing package lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64
      7/8: removing lib64python3.10-testsuite-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################
removing package tkinter3-3.10.11-1.2.mga9.x86_64
      8/8: removing tkinter3-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################

Feel free to provide other test if you can

Comment 5 Herman Viaene 2024-06-19 16:50:03 CEST

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues
This is python development stuff and the subject is way over my head (anyone got any better??), so as in previous such cases OK on clean install and no obvious repercussions on my system.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 katnatek 2024-06-19 19:23:03 CEST

Time to call to the boss

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-06-20 00:55:52 CEST

This package is required by orange, a complex data mining and analysis program. There are many multi-part videos on Youtube on "getting started" with orange, showing just how complex it is. 

In Bug 30956, Herman attempted to use orange to test another component, and wound up sending that component on with a clean install. I think we can do that here, too.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-06-20 04:32:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0228.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED