A CVE has been assigned to Python upstream issue 18709: http://bugs.python.org/issue18709 Proposed patches to fix it have been attached to the upstream issue report. Oden has added these patches in Cauldron, as well as Mageia 2 and Mageia 3. Note that there is also a PoC attached to the upstream issue report. Given the mention of ssl.match_hostname on the upstream issue report, I wonder if this is related to CVE-2013-2099 (Bug 10391). I'm not assigning this to QA just yet, as discussion of this is continuing as we speak on the upstream issue report. If it's decided to go ahead with these patches, we'll fix CVE-2013-2099 for python3 in the process, as the patch for that was already in SVN. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaBlocks: (none) => 10391Whiteboard: (none) => MGA2TOO
A CVE was assigned as CVE-2013-4073 was for ruby. New CVE is CVE-2013-4238 as of: http://www.openwall.com/lists/oss-security/2013/08/13/2
CC: (none) => oeSummary: python, python3 new security issue CVE-2013-4073 => python, python3 new security issue CVE-2013-4238
so we should release an update for python and python3 for mga 3 with the patch included ? if yes, I can take care of and at the same time fix mga 10102 for Python 3
Oden, thanks for updating the correct CVE number. Philippe, the patch(es) for this are already committed, so if there are any further fixes you want to commit, go ahead, and we can fix this one with the same update.
Severity: normal => major
done for mga3 rev 466128, this should fix MGA#10102
python3-3.3.0-4.3.mga3 is update testing I guess that Oden did all the others builds need
Philippe, do you have some information to add to the advisory describing what else you've fixed?
This fix MGA#10102 : "Unable to install Python packages with C extensions via pip and virtualenv" : Before the fix installing Python packages via pip inside a virtualenv fails if the Python package uses a C extension.
Blocks: (none) => 9395, 10102
OK, let's use this bug for the python update and Bug 10391 for the python3 update. Advisory: ======================== Updated python packages fix security vulnerability: Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names. (CVE-2013-4328). Additionally, an issue with installing Python packages with C extensions via pip and virtualenv has been fixed in Mageia 3 (mga#10102). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328 http://bugs.python.org/issue18709 https://bugs.mageia.org/show_bug.cgi?id=10102 https://bugs.mageia.org/show_bug.cgi?id=10989 ======================== Updated packages in core/updates_testing: ======================== python-2.7.3-2.4.mga2 python-docs-2.7.3-2.4.mga2 libpython2.7-2.7.3-2.4.mga2 libpython-devel-2.7.3-2.4.mga2 tkinter-2.7.3-2.4.mga2 tkinter-apps-2.7.3-2.4.mga2 python-2.7.5-1.2.mga3 python-docs-2.7.5-1.2.mga3 libpython2.7-2.7.5-1.2.mga3 libpython-devel-2.7.5-1.2.mga3 tkinter-2.7.5-1.2.mga3 tkinter-apps-2.7.5-1.2.mga3 from SRPMS: python-2.7.3-2.4.mga2.src.rpm python-2.7.5-1.2.mga3.src.rpm
Blocks: 9395 => (none)Assignee: bugsquad => qa-bugs
Blocks: 10391 => (none)Depends on: (none) => 10391
Summary: python, python3 new security issue CVE-2013-4238 => python new security issue CVE-2013-4238Source RPM: python, python3 => python
The bug title (with python3) was correct, as this CVE affects both python and python3. I used the other bug (Bug 10391) to handle the python3 update to separate these and make it easier for QA, but we are fixing this CVE for python3 as well.
No PoC so just testing python & tkinter using random examples from here, run in idle: http://wiki.python.org/moin/SimplePrograms
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-64-ok
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-64-ok mga2-64-ok
There's a PoC attached here: http://bugs.python.org/issue18709
Advisory uploaded.
No idea how to use the certificate on the link David. If you can point us in the right direction I'm happy to check it again. Testing complete mga2-32 for now.
Whiteboard: MGA2TOO has_procedure mga3-64-ok mga2-64-ok => MGA2TOO has_procedure mga3-64-ok mga2-32-ok mga2-64-ok
Yeah, sorry. I just looked at the ssl module and I don't even see match_hostname(), so I don't know how to use it either.
Testing complete mag3_32, ok for me nothing to report python works fine.
CC: (none) => geiger.david68210Whiteboard: MGA2TOO has_procedure mga3-64-ok mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga3-64-ok mga2-32-ok mga2-64-ok mga3-32-ok
Validating. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0250.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Looks like I screwed up on this one...the correct CVE is 4238, as it says in the bug title. The advisory has it typoed as 4328. This also happened in the Bug 10391 update.
URL: (none) => http://lwn.net/Vulnerabilities/564820/
Advisory 10989.adv corrected in svn.
CC: (none) => davidwhodgins