Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html They added this patch to fix it (same patch was used for 3.3.0 in Fedora 18): https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html Mageia 3 is also affected. Upstream reference for this issue: http://bugs.python.org/issue17997#msg194950 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Oops, paste error. The patch is here: http://pkgs.fedoraproject.org/cgit/python3.git/plain/00187-change-match_hostname-to-follow-RFC-6125.patch?id=54afb027bd0b97c24477a536e9b4dfb6fc45b61b
Blocks: (none) => 11726
Suggested advisory: ======================== Updated python3 packages fix security vulnerabilities: Changed behavior of ssl.match_hostname() to follow RFC 6125 (mga#11785). References: https://bugs.mageia.org/show_bug.cgi?id=11785 http://bugs.python.org/issue17997#msg194950 Updated packages in core/updates_testing: ======================== lib64python3-devel-3.3.0-4.5.mga3.x86_64 python3-3.3.0-4.5.mga3.x86_64 tkinter3-apps-3.3.0-4.5.mga3.x86_64 python3-debuginfo-3.3.0-4.5.mga3.i586 tkinter3-3.3.0-4.5.mga3.x86_64 tkinter3-3.3.0-4.5.mga3.i586 tkinter3-apps-3.3.0-4.5.mga3.i586 python3-debuginfo-3.3.0-4.5.mga3.x86_64 lib64python3.3-3.3.0-4.5.mga3.x86_64 libpython3-devel-3.3.0-4.5.mga3.i586 python3-3.3.0-4.5.mga3.i586 libpython3.3-3.3.0-4.5.mga3.i586 python3-docs-3.3.0-4.5.mga3.noarch Source RPMs: python3-3.3.0-4.5.mga3.src Same in Cauldron with python3-3.3.2-13.mga4.src.rpm
Assignee: makowski.mageia => qa-bugs
Thanks Philippe! We should add the Fedora advisory to the references too: https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html It looks like there may be some other packages affected, like python-setuptools: https://bugzilla.redhat.com/show_bug.cgi?id=1023742 I wonder if there will be any others, like we had here before: http://advisories.mageia.org/MGASA-2013-0252.html http://advisories.mageia.org/MGASA-2013-0250.html
Whiteboard: MGA3TOO => (none)CC: (none) => makowski.mageiaVersion: Cauldron => 3
Fedora is preparing an update for python-setuptools for this also. They patched 0.9.8 (same version we have in Mageia 3) here: http://pkgs.fedoraproject.org/cgit/python-setuptools.git/commit/?h=f20&id=b920c69c80ac427d531a1ba340a37d3eff6dc1d5 I think that patch makes it use python-backports-ssl_match_hostname, which we don't currently have packaged for Mageia 3. Based on this commit which updates to 1.3 (version we have in Cauldron), it looks like this issue was fixed upstream in 1.3: http://pkgs.fedoraproject.org/cgit/python-setuptools.git/commit/?h=f20&id=c8db69c834b038228f74966ff73aaff18a43566b
python-backports-ssl_match_hostname is ok it have the fix about python-setuptools : Updated packages in core/updates_testing: ======================== python-pkg-resources-0.9.8-2.2.mga3.noarch python-setuptools-0.9.8-2.2.mga3.noarch python3-setuptools-0.9.8-2.2.mga3.noarch python3-pkg-resources-0.9.8-2.2.mga3.noarch Source RPMs: python-setuptools-0.9.8-2.2.mga3.src About python-virtualenv, it use setuptools v0.9.8, so yes it could be a candidate, but it is a nightmare since it is bundling setuptools I will see with Fedora people to work seriously on that (https://bugzilla.redhat.com/show_bug.cgi?id=749378).
Additional info about python-virtualenv they changed the way they bundle setuptools and it's harder to remove but seems that a new version is coming soon that will update bundle setuptools if you don't mind, we can wait a little for updating python-virtualenv or I have to patch the setuptools v0.9.8 they provide as a tar.gz :( the possible list of others is (according to http://bugs.python.org/issue17997#msg195058) python-urllib3 < 1.6 so in our case mga3 version only bzr python-tornado python-pip
and also python-requests < 1.2.3 so in our case only mga3 that have a very old version 0.13.5 !
(In reply to Philippe Makowski from comment #6) > if you don't mind, we can wait a little for updating python-virtualenv That'll be fine. Thanks!
Updated packages in core/updates_testing: ======================== python-urllib3-1.7.1-1.1.mga3.noarch Source RPMs: python-urllib3-1.7.1-1.1.mga3.src
Am I reading correctly that the full list of srpms is python3-3.3.0-4.5.mga3.src python-setuptools-0.9.8-2.2.mga3.src python-urllib3-1.7.1-1.1.mga3.src Any others expected?
CC: (none) => davidwhodginsWhiteboard: (none) => feedback
Blocks: (none) => 10758
Also python-tornado Updated packages in core/updates_testing: ======================== python-tornado-doc-2.3-2.2.mga3.noarch python-tornado-2.3-2.2.mga3.noarch Source RPMs: python-tornado-2.3-2.2.mga3.src Done also in Cauldron with python-tornado-3.1-4.mga4
It looks like python-virtualenv and python-pip are also possibilities. What about python or python-requests or bzr?
(In reply to David Walser from comment #12) > It looks like python-virtualenv and python-pip are also possibilities. What > about python or python-requests or bzr? will try to do python-requests bzr python-pip python-virtualenv this we about python 2 according to http://bugs.python.org/issue17997#msg195058 it is not affected
Updated packages in core/updates_testing: ======================== python-requests-0.13.5-2.2.mga3.noarch bzr-2.5.1-3.2.mga3.i586 bzr-2.5.1-3.2.mga3.x86_64 bzr-debuginfo-2.5.1-3.2.mga3.i586 bzr-debuginfo-2.5.1-3.2.mga3.x86_64 python3-pip-1.3.1-2.2.mga3.noarch python-pip-1.3.1-2.2.mga3.noarch Source RPMs: python-requests-0.13.5-2.2.mga3.src bzr-2.5.1-3.2.mga3.src package python-pip-1.3.1-2.2.mga3.src In Cauldron : (python-requests not need to be pached) bzr-2.6.0-4.mga4 python-pip-1.4.1-4.mga4 For python-virtualenv I suggest to delay it I will try to solve it with the fix for mga#11283 so for this bug I think we have enough to push and announce
Thanks Philippe! Removing the feedback marker.
Whiteboard: feedback => (none)
Updated packages in core/updates_testing: ======================== python-virtualenv-1.10.1-1.2.mga3.noarch Source RPMs: python-virtualenv-1.10.1-1.2.mga3.src This also fix mga#11283 In Cauldron : python-virtualenv-1.10.1-6.mga4
So here the full Suggested advisory Suggested advisory: ======================== Updated python3 packages fix security vulnerabilities: Changed behavior of ssl.match_hostname() to follow RFC 6125 (mga#11785). References: https://bugs.mageia.org/show_bug.cgi?id=11785 http://bugs.python.org/issue17997#msg194950 Updated packages in core/updates_testing: ======================== lib64python3-devel-3.3.0-4.5.mga3.x86_64 python3-3.3.0-4.5.mga3.x86_64 tkinter3-apps-3.3.0-4.5.mga3.x86_64 python3-debuginfo-3.3.0-4.5.mga3.i586 tkinter3-3.3.0-4.5.mga3.x86_64 tkinter3-3.3.0-4.5.mga3.i586 tkinter3-apps-3.3.0-4.5.mga3.i586 python3-debuginfo-3.3.0-4.5.mga3.x86_64 lib64python3.3-3.3.0-4.5.mga3.x86_64 libpython3-devel-3.3.0-4.5.mga3.i586 python3-3.3.0-4.5.mga3.i586 libpython3.3-3.3.0-4.5.mga3.i586 python3-docs-3.3.0-4.5.mga3.noarch python-virtualenv-1.10.1-1.2.mga3.noarch python-requests-0.13.5-2.2.mga3.noarch bzr-2.5.1-3.2.mga3.i586 bzr-2.5.1-3.2.mga3.x86_64 bzr-debuginfo-2.5.1-3.2.mga3.i586 bzr-debuginfo-2.5.1-3.2.mga3.x86_64 python3-pip-1.3.1-2.2.mga3.noarch python-pip-1.3.1-2.2.mga3.noarch python-tornado-doc-2.3-2.2.mga3.noarch python-tornado-2.3-2.2.mga3.noarch python-urllib3-1.7.1-1.1.mga3.noarch python-pkg-resources-0.9.8-2.2.mga3.noarch python-setuptools-0.9.8-2.2.mga3.noarch python3-setuptools-0.9.8-2.2.mga3.noarch python3-pkg-resources-0.9.8-2.2.mga3.noarch Source RPMs: python3-3.3.0-4.5.mga3.src python-virtualenv-1.10.1-1.2.mga3.src python-requests-0.13.5-2.2.mga3.src bzr-2.5.1-3.2.mga3.src python-pip-1.3.1-2.2.mga3.src python-tornado-2.3-2.2.mga3.src python-urllib3-1.7.1-1.1.mga3.src python-setuptools-0.9.8-2.2.mga3.src
Please add the Fedora advisory to the References too: https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122682.html
The fedora advisory lists CVE-2013-4238, which is for an Input Validation vulnerability in Python. Is that included in this update? Is there a cvd for the ssl.match_hostname fix?
(In reply to Dave Hodgins from comment #19) > The fedora advisory lists CVE-2013-4238, which is for an Input Validation > vulnerability in Python. > no, you see that in the change log, but it is not "listed" it is an old story Fri Aug 23 2013 Matej Stuchlik <mstuchli@redhat.com> - 3.3.2-6 > Is that included in this update? and we also have this fix published : http://advisories.mageia.org/MGASA-2013-0252.html >Is there a cvd for the ssl.match_hostname fix? I don't know
Here's the RedHat bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=1023742 There doesn't seem to be a CVE for it yet, and I haven't seen one requested on oss-sec.
Advisory 11785.adv committed to svn.
Whiteboard: (none) => advisory
Blocks: (none) => 11283
Blocks: 11726 => (none)
Most testing procedures here: https://bugs.mageia.org/show_bug.cgi?id=10391#c13
Whiteboard: advisory => advisory has_procedure
python-urllib3 procedure: https://pypi.python.org/pypi/urllib3 import urllib3 http = urllib3.PoolManager() r = http.request('GET', 'http://google.com/') print r.status, r.data python-setuptools procedure: https://bugs.mageia.org/show_bug.cgi?id=11169#c12
i586 bzr-2.5.1-3.2.mga3.i586 bzr-debuginfo-2.5.1-3.2.mga3.i586 libpython3.3-3.3.0-4.5.mga3.i586 libpython3-devel-3.3.0-4.5.mga3.i586 python3-3.3.0-4.5.mga3.i586 python3-debuginfo-3.3.0-4.5.mga3.i586 python3-docs-3.3.0-4.5.mga3.noarch python3-pip-1.3.1-2.2.mga3.noarch python3-pkg-resources-0.9.8-2.2.mga3.noarch python3-setuptools-0.9.8-2.2.mga3.noarch python-pip-1.3.1-2.2.mga3.noarch python-pkg-resources-0.9.8-2.2.mga3.noarch python-requests-0.13.5-2.2.mga3.noarch python-setuptools-0.9.8-2.2.mga3.noarch python-tornado-2.3-2.2.mga3.noarch python-tornado-doc-2.3-2.2.mga3.noarch python-urllib3-1.7.1-1.1.mga3.noarch python-virtualenv-1.10.1-1.2.mga3.noarch tkinter3-3.3.0-4.5.mga3.i586 tkinter3-apps-3.3.0-4.5.mga3.i586 x86_64 bzr-2.5.1-3.2.mga3.x86_64 bzr-debuginfo-2.5.1-3.2.mga3.x86_64 lib64python3.3-3.3.0-4.5.mga3.x86_64 lib64python3-devel-3.3.0-4.5.mga3.x86_64 python3-3.3.0-4.5.mga3.x86_64 python3-debuginfo-3.3.0-4.5.mga3.x86_64 python3-docs-3.3.0-4.5.mga3.noarch python3-pip-1.3.1-2.2.mga3.noarch python3-pkg-resources-0.9.8-2.2.mga3.noarch python3-setuptools-0.9.8-2.2.mga3.noarch python-pip-1.3.1-2.2.mga3.noarch python-pkg-resources-0.9.8-2.2.mga3.noarch python-requests-0.13.5-2.2.mga3.noarch python-setuptools-0.9.8-2.2.mga3.noarch python-tornado-2.3-2.2.mga3.noarch python-tornado-doc-2.3-2.2.mga3.noarch python-urllib3-1.7.1-1.1.mga3.noarch python-virtualenv-1.10.1-1.2.mga3.noarch tkinter3-3.3.0-4.5.mga3.x86_64 tkinter3-apps-3.3.0-4.5.mga3.x86_64
Updated advisory uploaded with bug 11283 python-virtualenv added.
python-urllib3 doesn't seem to work well with google.com, it doesn't seem to handle the redirect to google.co.uk very well. Substitute mageia.org in the test script to work around.
Testing complete mga3 32 python3/tkinter/tkinter-apps ---------------------------- $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ idle3 python3programs.py Choose Run Module in the Run menuit'll run in the 2nd window. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working. python-pip ---------- # pip install bubbles Downloading/unpacking bubbles Downloading bubbles-0.1.tar.gz (40kB): 40kB downloaded Running setup.py egg_info for package bubbles Installing collected packages: bubbles Running setup.py install for bubbles warning: build_py: byte-compiling is disabled, skipping. warning: install_lib: byte-compiling is disabled, skipping. Successfully installed bubbles Cleaning up... # pip uninstall bubbles Uninstalling bubbles: /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg-info /usr/lib/python2.7/site-packages/bubbles/__init__.py /usr/lib/python2.7/site-packages/bubbles/backends/__init__.py /usr/lib/python2.7/site-packages/bubbles/backends/sql/__init__.py /usr/lib/python2.7/site-packages/bubbles/backends/sql/objects.py /usr/lib/python2.7/site-packages/bubbles/backends/sql/ops.py /usr/lib/python2.7/site-packages/bubbles/backends/sql/utils.py /usr/lib/python2.7/site-packages/bubbles/backends/text/__init__.py /usr/lib/python2.7/site-packages/bubbles/backends/text/objects.py /usr/lib/python2.7/site-packages/bubbles/common.py /usr/lib/python2.7/site-packages/bubbles/core.py /usr/lib/python2.7/site-packages/bubbles/datautil.py /usr/lib/python2.7/site-packages/bubbles/doc.py /usr/lib/python2.7/site-packages/bubbles/errors.py /usr/lib/python2.7/site-packages/bubbles/extensions.py /usr/lib/python2.7/site-packages/bubbles/iterator.py /usr/lib/python2.7/site-packages/bubbles/metadata.py /usr/lib/python2.7/site-packages/bubbles/objects.py /usr/lib/python2.7/site-packages/bubbles/pipeline.py /usr/lib/python2.7/site-packages/bubbles/stores.py /usr/lib/python2.7/site-packages/bubbles/urlresource.py Proceed (y/n)? y Successfully uninstalled bubbles python-setuptools ----------------- # easy_install bubbles Searching for bubbles Reading https://pypi.python.org/simple/bubbles/ Best match: bubbles 0.1 Downloading https://pypi.python.org/packages/source/b/bubbles/bubbles-0.1.tar.gz#md5=8c934d1609c700d3180107871b10d6d5 Processing bubbles-0.1.tar.gz Writing /tmp/easy_install-eb92K3/bubbles-0.1/setup.cfg Running bubbles-0.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-eb92K3/bubbles-0.1/egg-dist-tmp-bIllvD warning: build_py: byte-compiling is disabled, skipping. warning: install_lib: byte-compiling is disabled, skipping. zip_safe flag not set; analyzing archive contents... Adding bubbles 0.1 to easy-install.pth file Installed /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg Processing dependencies for bubbles Finished processing dependencies for bubbles # pip uninstall bubbles Uninstalling bubbles: /usr/lib/python2.7/site-packages/bubbles-0.1-py2.7.egg Proceed (y/n)? y Successfully uninstalled bubbles python-tornado -------------- $ cat helloworld.py import tornado.ioloop import tornado.web class MainHandler(tornado.web.RequestHandler): def get(self): self.write("Hello, world") application = tornado.web.Application([ (r"/", MainHandler), ]) if __name__ == "__main__": application.listen(8888) tornado.ioloop.IOLoop.instance().start() $ python helloworld.py In another terminal tab.. $ curl http://localhost:8888 Hello, world python-requests --------------- $ cat test.py import requests r = requests.get('https://mageia.org') print r.text $ python test.py <!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Home of the Mageia project </title> ...etc python-urllib3 -------------- $ cat test.py import urllib3 http = urllib3.PoolManager() r = http.request('GET', 'http://mageia.org') print r.status, r.data $ python test.py 200 <!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Home of the Mageia project </title> ...etc python-virtualenv ----------------- $ cd test $ virtualenv . $ source bin/activate $ pip install fabric resulting dir's can be deleted when done. bzr --- Followed https://bugs.mageia.org/show_bug.cgi?id=10391#c13
Forgot python3-setuptools & python3-pip # python3-pip install bubbles Downloading/unpacking bubbles Running setup.py egg_info for package bubbles Installing collected packages: bubbles Running setup.py install for bubbles warning: build_py: byte-compiling is disabled, skipping. warning: install_lib: byte-compiling is disabled, skipping. Successfully installed bubbles Cleaning up... # python3-pip uninstall bubbles Uninstalling bubbles: /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg-info /usr/lib/python3.3/site-packages/bubbles/__init__.py /usr/lib/python3.3/site-packages/bubbles/backends/__init__.py /usr/lib/python3.3/site-packages/bubbles/backends/sql/__init__.py /usr/lib/python3.3/site-packages/bubbles/backends/sql/objects.py /usr/lib/python3.3/site-packages/bubbles/backends/sql/ops.py /usr/lib/python3.3/site-packages/bubbles/backends/sql/utils.py /usr/lib/python3.3/site-packages/bubbles/backends/text/__init__.py /usr/lib/python3.3/site-packages/bubbles/backends/text/objects.py /usr/lib/python3.3/site-packages/bubbles/common.py /usr/lib/python3.3/site-packages/bubbles/core.py /usr/lib/python3.3/site-packages/bubbles/datautil.py /usr/lib/python3.3/site-packages/bubbles/doc.py /usr/lib/python3.3/site-packages/bubbles/errors.py /usr/lib/python3.3/site-packages/bubbles/extensions.py /usr/lib/python3.3/site-packages/bubbles/iterator.py /usr/lib/python3.3/site-packages/bubbles/metadata.py /usr/lib/python3.3/site-packages/bubbles/objects.py /usr/lib/python3.3/site-packages/bubbles/pipeline.py /usr/lib/python3.3/site-packages/bubbles/stores.py /usr/lib/python3.3/site-packages/bubbles/urlresource.py Proceed (y/n)? y Successfully uninstalled bubbles # easy_install-3.3 bubbles Searching for bubbles Reading https://pypi.python.org/simple/bubbles/ Best match: bubbles 0.1 Downloading https://pypi.python.org/packages/source/b/bubbles/bubbles-0.1.tar.gz#md5=8c934d1609c700d3180107871b10d6d5 Processing bubbles-0.1.tar.gz Writing /tmp/easy_install-c9_alu/bubbles-0.1/setup.cfg Running bubbles-0.1/setup.py -q bdist_egg --dist-dir /tmp/easy_install-c9_alu/bubbles-0.1/egg-dist-tmp-snha8e warning: build_py: byte-compiling is disabled, skipping. warning: install_lib: byte-compiling is disabled, skipping. zip_safe flag not set; analyzing archive contents... Adding bubbles 0.1 to easy-install.pth file Installed /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg Processing dependencies for bubbles Finished processing dependencies for bubbles # python3-pip uninstall bubbles Uninstalling bubbles: /usr/lib/python3.3/site-packages/bubbles-0.1-py3.3.egg Proceed (y/n)? y Successfully uninstalled bubbles
Whiteboard: advisory has_procedure => advisory has_procedure mga3-32-ok
In VirtualBox, M3, KDE, 32-bit Package(s) under test: python [root@localhost wilcal]# urpmi python Package python-2.7.5-1.2.mga3.i586 is already installed Install calibre and dia runs calibre and dia from desktop icons Install python updates from nonfree updates_testing: [root@localhost wilcal]# urpmi python Package python-2.7.5-1.3.mga3.i586 is already installed runs calibre and dia from desktop icons Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
python 2.7 version is being updated in bug 10758 William It's a bit confusing as we had multiple bugs for the same packages and the bug numbers are very similar too. This bug is for python3 and some python & python3 modules.
Testing mga3 64
Testing complete mga3 64 Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: advisory has_procedure mga3-32-ok => advisory has_procedure mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0376.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CVE-2013-7440 has been allocated for this: http://openwall.com/lists/oss-security/2015/05/21/12
Summary: python3 yet another ssl.match_hostname() security issue => python3 yet another ssl.match_hostname() security issue (CVE-2013-7440)