Fedora has issued an advisory on August 16: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html The update is for python-virtualenv, but the advisory says that it bundles python-setuptools, which actually contains the flaw. The RedHat bug says python-setuptools before 0.7 is affected, which would mean that Cauldron is OK, but Mageia 2 and Mageia 3 are affected. I don't know if our python-virtualenv bundles it too. python-distribute may be affected as well. https://bugzilla.redhat.com/show_bug.cgi?id=994182 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
So : For python-virtualenv : update mga2 and mga3 to python-virtualenv-1.10.1 , bump mga4 release For python-setuptools : update mga2 and mga3 to python-setuptools 0.9.5 should be safe Agree ?
Any reason for 0.9.5 as opposed to 0.9.8?
Also, what to do about python-distribute? Will the updated setuptools obsolete it?
python-distribute and python-setuptools are the same package
(In reply to Philippe Makowski from comment #4) > python-distribute and python-setuptools are the same package Not on Mageia 3.
that's a non sense python-distribute and python-setuptools are the same code python-distribute should be removed
Packages can't be removed from a stable release, but you could make the python-setuptools update provide/obsolete python-distribute, so that if any users have it installed, it'll get replaced automatically with the update.
(In reply to David Walser from comment #2) > Any reason for 0.9.5 as opposed to 0.9.8? could be 0.9.8 yes, it is just that 0.9.5 was in cauldron for some times, without trouble but 0.9.8 wasn't
python3-setuptools-0.9.8-1.1.mga2.noarch python3-pkg-resources-0.9.8-1.1.mga2.noarch python-pkg-resources-0.9.8-1.1.mga2.noarch python-setuptools-0.9.8-1.1.mga2.noarch python-setuptools-0.9.8-1.1.mga2.src python3-setuptools-0.9.8-2.1.mga3.noarch python3-pkg-resources-0.9.8-2.1.mga3.noarch python-setuptools-0.9.8-2.1.mga3.noarch python-pkg-resources-0.9.8-2.1.mga3.noarch python-setuptools-0.9.8-2.1.mga3.src python-virtualenv-1.10.1-0.1.mga2.noarch python-virtualenv-1.10.1-0.1.mga2.src python-virtualenv-1.10.1-1.1.mga3.noarch python-virtualenv-1.10.1-1.1.mga3.src are uploaded python-setuptools update provide/obsolete python-distribute
Thanks Philippe! Advisory: ======================== Updated python-setuptools and python-virtualenv packages fix security vulnerabilities: easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product (CVE-2013-1633). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html ======================== Updated packages in core/updates_testing: ======================== python3-setuptools-0.9.8-1.1.mga2 python3-pkg-resources-0.9.8-1.1.mga2 python-pkg-resources-0.9.8-1.1.mga2 python-setuptools-0.9.8-1.1.mga2 python-virtualenv-1.10.1-0.1.mga2 python3-setuptools-0.9.8-2.1.mga3 python3-pkg-resources-0.9.8-2.1.mga3 python-setuptools-0.9.8-2.1.mga3 python-pkg-resources-0.9.8-2.1.mga3 python-virtualenv-1.10.1-1.1.mga3 from SRPMS: python-setuptools-0.9.8-1.1.mga2.src.rpm python-virtualenv-1.10.1-0.1.mga2.src.rpm python-setuptools-0.9.8-2.1.mga3.src.rpm python-virtualenv-1.10.1-1.1.mga3.src.rpm
CC: (none) => makowski.mageiaAssignee: makowski.mageia => qa-bugs
Advisory 11169.adv committed to svn.
CC: (none) => davidwhodgins
For testing, using easy_install --dry-run test. Also easy-install-2.7 and easy-install-3.2. Confirmed that before installing the update all three were reading from Reading http://pypi.python.org/simple/test/ After installing the update, all three are reading from Reading https://pypi.python.org/simple/test/ Testing complete Mageia 2 and 3, one arch on each since it's a noarch package. Someone from the sysadmin team please push 11169.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0274.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)