A security issue in Python3 was announced on May 15: http://www.openwall.com/lists/oss-security/2013/05/15/6 The description above talks about python-backports-ssl_match_hostname (which we don't have AFAIK), but it also affects python3 upstream. Thierry fixed it in Cauldron here: http://svnweb.mageia.org/packages?view=revision&revision=433777 According to RedHat, it sounds like a really low severity issue: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099 We probably don't need to issue an update for this now, but should put the patch in SVN so it gets included in any future updates. Reproducible: Steps to Reproduce:
As noted here: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c11 bzr, python-requests, and python-tornado are also affected by this. Fedora has issued an advisory for bzr on May 30: https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html from http://lwn.net/Vulnerabilities/553295/ So again, we should at least fix this in Cauldron and patch it in SVN.
CC: (none) => makowski.mageia
for python-tornado : python-tornado-2.3-2.1.mga3.noarch python-tornado-2.3-2.1.mga3.src python-tornado-doc-2.3-2.1.mga3.noarch python-tornado-doc-2.2.1-1.1.mga2.noarch python-tornado-2.2.1-1.1.mga2.src python-tornado-2.2.1-1.1.mga2.noarch and Cauldron patched too, but the issue will be solved with next mainstream
for bzr : bzr-2.5.1-3.1.mga3.src bzr-debuginfo-2.5.1-3.1.mga3.x86_64 bzr-2.5.1-3.1.mga3.x86_64 bzr-debuginfo-2.5.1-3.1.mga3.i586 bzr-2.5.1-3.1.mga3.i586 bzr-2.5.1-1.1.mga2.src bzr-debuginfo-2.5.1-1.1.mga2.x86_64 bzr-2.5.1-1.1.mga2.x86_64 bzr-debuginfo-2.5.1-1.1.mga2.i586 bzr-2.5.1-1.1.mga2.i586 Cauldron patched too
for python-requests (don't exist in mga2) python-requests-0.13.5-2.1.mga3.noarch python-requests-0.13.5-2.1.mga3.src Cauldron patched too
Patch added in Mageia 2 and Mageia 3 SVN for the python3 package.
python-pip is apparently affected too. Fedora has just issued updates for that citing this CVE.
python-pip patched in Cauldron and in mga3 : python3-pip-1.3.1-2.1.mga3.noarch.rpm python-pip-1.3.1-2.1.mga3.noarch.rpm python-pip-1.3.1-2.1.mga3.src.rpm python3-pip-1.3.1-3.mga4.noarch.rpm python-pip-1.3.1-3.mga4.noarch.rpm python-pip-1.3.1-3.mga4.src.rpm
Depends on: (none) => 10989
Advisory: ======================== Updated python3 packages fix security vulnerabilities: A denial of service flaw was found in the way SSL module implementation of Python 3 performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality (CVE-2013-2099). Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names. (CVE-2013-4328). Additionally, a linking issue when compiling C extensions for Python 3 has been fixed in Mageia 3 (mga#9395). The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado, and python-pip, and those have been updated as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099 http://bugs.python.org/issue18709 https://bugs.mageia.org/show_bug.cgi?id=9395 https://bugs.mageia.org/show_bug.cgi?id=10391 https://bugs.mageia.org/show_bug.cgi?id=10989 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html ======================== Updated packages in core/updates_testing: ======================== python3-3.2.3-1.5.mga2 python3-docs-3.2.3-1.5.mga2 libpython3.2-3.2.3-1.5.mga2 libpython3-devel-3.2.3-1.5.mga2 tkinter3-3.2.3-1.5.mga2 tkinter3-apps-3.2.3-1.5.mga2 python-tornado-2.2.1-1.1.mga2 python-tornado-doc-2.2.1-1.1.mga2 bzr-2.5.1-1.1.mga2 python3-3.3.0-4.3.mga3 python3-docs-3.3.0-4.3.mga3 libpython3.3-3.3.0-4.3.mga3 libpython3-devel-3.3.0-4.3.mga3 tkinter3-3.3.0-4.3.mga3 tkinter3-apps-3.3.0-4.3.mga3 python-pip-1.3.1-2.1.mga3 python3-pip-1.3.1-2.1.mga3 python-tornado-2.3-2.1.mga3 python-tornado-doc-2.3-2.1.mga3 bzr-2.5.1-3.1.mga3 python-requests-0.13.5-2.1.mga3 from SRPMS: python3-3.2.3-1.5.mga2.src.rpm python-tornado-2.2.1-1.1.mga2.src.rpm bzr-2.5.1-1.1.mga2.src.rpm python3-3.3.0-4.3.mga3.src.rpm python-pip-1.3.1-2.1.mga3.src.rpm python-tornado-2.3-2.1.mga3.src.rpm bzr-2.5.1-3.1.mga3.src.rpm python-requests-0.13.5-2.1.mga3.src.rpm
Blocks: (none) => 9395, 10989Depends on: 10989 => (none)Assignee: bugsquad => qa-bugs
Severity: normal => major
Whiteboard: (none) => MGA2TOO
python-virtualenv-1.9.1 is affected by the CVE-2013-2099 flaw as it bundles the pip-1.3.1.tar.gz tar ball. python-virtualenv:/usr/lib/python2.7/site-packages/virtualenv_support/pip-1.3.1.tar.gz
CC: (none) => oe
(In reply to Oden Eriksson from comment #9) > python-virtualenv-1.9.1 is affected by the CVE-2013-2099 flaw as it bundles > the pip-1.3.1.tar.gz tar ball. > > python-virtualenv:/usr/lib/python2.7/site-packages/virtualenv_support/pip-1. > 3.1.tar.gz Fixed with python-virtualenv-1.9.1-1.2.mga3, but needs testing. http://svnweb.mageia.org/packages?view=revision&revision=466815
Thanks, updating the advisory. Advisory: ======================== Updated python3 packages fix security vulnerabilities: A denial of service flaw was found in the way SSL module implementation of Python 3 performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality (CVE-2013-2099). Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names. (CVE-2013-4328). Additionally, a linking issue when compiling C extensions for Python 3 has been fixed in Mageia 3 (mga#9395). The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado, python-pip, and python-virtualenv, and those have been updated as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099 http://bugs.python.org/issue18709 https://bugs.mageia.org/show_bug.cgi?id=9395 https://bugs.mageia.org/show_bug.cgi?id=10391 https://bugs.mageia.org/show_bug.cgi?id=10989 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html ======================== Updated packages in core/updates_testing: ======================== python3-3.2.3-1.5.mga2 python3-docs-3.2.3-1.5.mga2 libpython3.2-3.2.3-1.5.mga2 libpython3-devel-3.2.3-1.5.mga2 tkinter3-3.2.3-1.5.mga2 tkinter3-apps-3.2.3-1.5.mga2 python-tornado-2.2.1-1.1.mga2 python-tornado-doc-2.2.1-1.1.mga2 bzr-2.5.1-1.1.mga2 python3-3.3.0-4.3.mga3 python3-docs-3.3.0-4.3.mga3 libpython3.3-3.3.0-4.3.mga3 libpython3-devel-3.3.0-4.3.mga3 tkinter3-3.3.0-4.3.mga3 tkinter3-apps-3.3.0-4.3.mga3 python-pip-1.3.1-2.1.mga3 python3-pip-1.3.1-2.1.mga3 python-tornado-2.3-2.1.mga3 python-tornado-doc-2.3-2.1.mga3 bzr-2.5.1-3.1.mga3 python-requests-0.13.5-2.1.mga3 python-virtualenv-1.9.1-1.2.mga3 from SRPMS: python3-3.2.3-1.5.mga2.src.rpm python-tornado-2.2.1-1.1.mga2.src.rpm bzr-2.5.1-1.1.mga2.src.rpm python3-3.3.0-4.3.mga3.src.rpm python-pip-1.3.1-2.1.mga3.src.rpm python-tornado-2.3-2.1.mga3.src.rpm bzr-2.5.1-3.1.mga3.src.rpm python-requests-0.13.5-2.1.mga3.src.rpm python-virtualenv-1.9.1-1.2.mga3.src.rpm
Python3 can be tested with some examples from here, can be run in idle3.. http://www.annedawson.net/Python3Programs.txt Python tornado can be tested with Hello World from here, should be able to view it with your browser on port 8888.. http://www.tornadoweb.org/ pip.. https://pypi.python.org/pypi/pip bzr.. http://doc.bazaar.canonical.com/bzr.2.5/en/mini-tutorial/index.html python-requests http://www.python-requests.org/en/latest/user/quickstart/ python-virtualenv & pip https://bugs.mageia.org/show_bug.cgi?id=10761#c2
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga2 64 Tested python3 by running some of the examples in idle3 Tornado tested using the hello world, saved as helloworld.py and started with python helloworld.py then browsed to http://localhost:8888 to see the message. bzr tested following the basic examples on bzr page.. $ bzr whoami "Mee <amail@someplace.com>" $ bzr whoami Mee <amail@someplace.com> $ bzr init-repo sample Shared repository with trees (format: 2a) Location: shared repository: sample $ ls sample/ $ bzr init sample/trunk Created a repository tree (format: 2a) Using shared repository: /home/test/bzr/sample/ $ cd sample/trunk $ nano test1.txt Added some text $ bzr add test1.txt adding test1.txt $ bzr commit -m "Added a line of text" Committing to: /home/test/bzr/sample/trunk/ added test1.txt Committed revision 1. Updated bzr and changed the file and added a new commit $ echo test test test > test1.txt $ bzr diff === modified file 'test1.txt' --- test1.txt 2013-08-19 14:12:14 +0000 +++ test1.txt 2013-08-19 14:12:57 +0000 @@ -1,3 +1,1 @@ -just a test file for bzr -line 2 - +test test test $ bzr commit -m "changed it" Committing to: /home/test/bzr/sample/trunk/ modified test1.txt Committed revision 2. $ bzr log ------------------------------------------------------------ revno: 2 committer: Mee <amail@someplace.com> branch nick: trunk timestamp: Mon 2013-08-19 15:14:05 +0100 message: changed it ------------------------------------------------------------ revno: 1 committer: Mee <amail@someplace.com> branch nick: trunk timestamp: Mon 2013-08-19 15:12:14 +0100 message: Added a line of text
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok
Testing mga3 64
Testing complete mga3 64 python3.. $ cd test $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ idle3 python3programs.py Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working. python-pip.. # pip install fabric Downloading/unpacking fabric Downloading Fabric-1.7.0.tar.gz (219kB): 219kB downloaded Running setup.py egg_info for package fabric ...etc Successfully installed fabric paramiko Cleaning up... # pip uninstall fabric Uninstalling Fabric: /usr/bin/fab /usr/lib/python2.7/site-packages/Fabric-1.7.0-py2.7.egg-info ...etc /usr/lib/python2.7/site-packages/fabric/utils.py /usr/lib/python2.7/site-packages/fabric/version.py Proceed (y/n)? y Successfully uninstalled Fabric python-tornado.. Used the Hello World from http://www.tornadoweb.org/en/stable/ $ python helloworld.py WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.31ms WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.26ms Viewed it at http://localhost:8888/ and killed it with ctrl-c python-requests.. $ python Python 2.7.5 (default, Aug 12 2013, 12:12:07) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> r = requests.get('https://mageia.org') >>> r.text u'<!DOCTYPE html>\n<html dir="ltr" lang="en">\n<head>\n <meta charset="utf-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Home of the Mageia project </title>\n ...etc >>> quit() python-virtualenv.. $ cd test $ virtualenv . $ source bin/activate $ pip install fabric bzr.. Same as comment 13
Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok
Testing complete mga2_32, ok for me nothing to report. bzr : [david@localhost ~]$ bzr whoami "Mee <geiger.davidxxxx@gmail.com>" [david@localhost ~]$ bzr whoami Mee <geiger.davidxxxx@gmail.com> [david@localhost ~]$ bzr init-repo sample Shared repository with trees (format: 2a) Location: shared repository: sample [david@localhost ~]$ ls Bureau/ Images/ Musique/ rpmbuild/ Téléchargements/ Vidéos/ Documents/ Modèles/ mysite/ sample/ tmp/ [david@localhost ~]$ ls sample/ [david@localhost ~]$ bzr init sample/trunk Created a repository tree (format: 2a) Using shared repository: /home/david/sample/ [david@localhost ~]$ cd sample/trunk [david@localhost trunk]$ nano test1.txt [david@localhost trunk]$ bzr add test1.txt adding test1.txt [david@localhost trunk]$ bzr commit -m "Added a line of text" Committing to: /home/david/sample/trunk/ added test1.txt Committed revision 1. [david@localhost trunk]$ echo test test test > test1.txt [david@localhost trunk]$ bzr diff === modified file 'test1.txt' --- test1.txt 2013-08-20 11:24:57 +0000 +++ test1.txt 2013-08-20 11:25:21 +0000 @@ -1,2 +1,1 @@ -Added some text - +test test test [david@localhost trunk]$ bzr commit -m "changed it" Committing to: /home/david/sample/trunk/ modified test1.txt Committed revision 2. [david@localhost trunk]$ bzr log ------------------------------------------------------------ revno: 2 committer: Mee <geiger.davidxxxx@gmail.com> branch nick: trunk timestamp: Tue 2013-08-20 13:26:17 +0200 message: changed it ------------------------------------------------------------ revno: 1 committer: Mee <geiger.davidxxxx@gmail.com> branch nick: trunk timestamp: Tue 2013-08-20 13:24:57 +0200 message: Added a line of text ################################################################# tornado : Tornado tested using the hello world, saved as helloworld.py and started with python helloworld.py then browsed to http://localhost:8888 to see the message. ################################################################# python3 : tested with some examples in idle3
CC: (none) => geiger.david68210Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok
Testing complete mga3_32, ok for me nothing to report. python3-pip: [root@localhost ~]# python3-pip install fabric Downloading/unpacking fabric Downloading Fabric-1.7.0.tar.gz (219kB): 219kB downloaded Running setup.py egg_info for package fabric ...etc Successfully installed fabric paramiko pycrypto Cleaning up... [root@localhost ~]# python3-pip uninstall fabric Uninstalling Fabric: /usr/bin/fab /usr/lib/python3.3/site-packages/Fabric-1.7.0-py3.3.egg-info ...etc /usr/lib/python3.3/site-packages/fabric/version.py Proceed (y/n)? y Successfully uninstalled Fabric ######################################################################## python3 : $ cd tmp $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ python3 python3programs.py Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working. ###################################################################### python-tornado : Used the Hello World from http://www.tornadoweb.org/en/stable/ $ python helloworld.py WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.31ms WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.26ms Viewed it at http://localhost:8888/ and killed it with ctrl-c ############################################################" bzr : same as comment 16
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Validating. Advisory from comment 11 uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0252.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Advisory 10391.adv corrected in svn (cve number)
CC: (none) => davidwhodgins