OpenSuSE has issued an advisory today (July 17): http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA3TOO, MGA2TOO
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated python-suds package fixes security vulnerability: An insecure temporary directory use flaw was found in the way python-suds performed initialization of its internal file-based URL cache (predictable location was used for directory to store the cached files). A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability for example the SOAP .wsdl metadata to redirect queries to a different host, than originally intended (CVE-2013-2217). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217 http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html ======================== Updated packages in core/updates_testing: ======================== python-suds-0.4.1-2.1.mga2 python-suds-0.4.1-3.1.mga3 from SRPMS: python-suds-0.4.1-2.1.mga2.src.rpm python-suds-0.4.1-3.1.mga3.src.rpm
CC: (none) => boklmVersion: Cauldron => 3Assignee: boklm => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Testing complete on Mageia 3 i586 and x86_64 using ... $ cat testsuds #!/bin/python from suds.client import Client url = 'http://schemas.xmlsoap.org/wsdl/' client = Client(url) print client Running it under strace with the core release version shows it's opening /home/dave/tmp/suds/version After installing the updates testing version it's opening /home/dave/tmp/tmpgX_qNi/version Advisory 10791.adv added to svn. I'll test Mageia 2 shortly.
CC: (none) => davidwhodgins
For Mageia 2, had to fix the shebang in the testsuds script to be #!/usr/bin/python Testing complete Mageia 2 i586 and x86_64. Could someone from the sysadmin team push 10791.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0224.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CC: boklm => (none)