So :
For python-virtualenv :
update mga2 and mga3 to python-virtualenv-1.10.1 , bump mga4 release

For python-setuptools :
update mga2 and mga3 to python-setuptools 0.9.5 should be safe

Agree ?

Any reason for 0.9.5 as opposed to 0.9.8?

Also, what to do about python-distribute?  Will the updated setuptools obsolete it?

python-distribute and python-setuptools are the same package

(In reply to Philippe Makowski from comment #4)
> python-distribute and python-setuptools are the same package

Not on Mageia 3.

that's a non sense python-distribute and python-setuptools are the same code
python-distribute should be removed

Packages can't be removed from a stable release, but you could make the python-setuptools update provide/obsolete python-distribute, so that if any users have it installed, it'll get replaced automatically with the update.

(In reply to David Walser from comment #2)
> Any reason for 0.9.5 as opposed to 0.9.8?

could be 0.9.8 yes, it is just that 0.9.5 was in cauldron for some times, without trouble but 0.9.8 wasn't

python3-setuptools-0.9.8-1.1.mga2.noarch 
python3-pkg-resources-0.9.8-1.1.mga2.noarch
python-pkg-resources-0.9.8-1.1.mga2.noarch
python-setuptools-0.9.8-1.1.mga2.noarch 
python-setuptools-0.9.8-1.1.mga2.src

python3-setuptools-0.9.8-2.1.mga3.noarch 
python3-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.noarch 
python-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.src

python-virtualenv-1.10.1-0.1.mga2.noarch
python-virtualenv-1.10.1-0.1.mga2.src 

python-virtualenv-1.10.1-1.1.mga3.noarch
python-virtualenv-1.10.1-1.1.mga3.src 

are uploaded

python-setuptools update provide/obsolete python-distribute

Thanks Philippe!

Advisory:
========================

Updated python-setuptools and python-virtualenv packages fix security
vulnerabilities:

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the
PyPI repository, and does not perform integrity checks on package contents,
which allows man-in-the-middle attackers to execute arbitrary code via a
crafted response to the default use of the product (CVE-2013-1633).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html
========================

Updated packages in core/updates_testing:
========================
python3-setuptools-0.9.8-1.1.mga2
python3-pkg-resources-0.9.8-1.1.mga2
python-pkg-resources-0.9.8-1.1.mga2
python-setuptools-0.9.8-1.1.mga2
python-virtualenv-1.10.1-0.1.mga2
python3-setuptools-0.9.8-2.1.mga3
python3-pkg-resources-0.9.8-2.1.mga3
python-setuptools-0.9.8-2.1.mga3
python-pkg-resources-0.9.8-2.1.mga3
python-virtualenv-1.10.1-1.1.mga3

from SRPMS:
python-setuptools-0.9.8-1.1.mga2.src.rpm
python-virtualenv-1.10.1-0.1.mga2.src.rpm
python-setuptools-0.9.8-2.1.mga3.src.rpm
python-virtualenv-1.10.1-1.1.mga3.src.rpm

CC: (none) => makowski.mageia
Assignee: makowski.mageia => qa-bugs

Advisory 11169.adv committed to svn.

CC: (none) => davidwhodgins

For testing, using easy_install --dry-run test. Also easy-install-2.7 and
easy-install-3.2.
Confirmed that before installing the update all three were reading from
Reading http://pypi.python.org/simple/test/
After installing the update, all three are reading from
Reading https://pypi.python.org/simple/test/

Testing complete Mageia 2 and 3, one arch on each since it's a noarch package.

Someone from the sysadmin team please push 11169.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

http://advisories.mageia.org/MGASA-2013-0274.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED