OpenSuSE has issued an advisory on March 15: http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html It mentions that they included a patch to fix CVE-2013-1753, and also one of the bugs associated with this advisory: https://bugzilla.novell.com/show_bug.cgi?id=856836 indicates that they may have included additional patches for the CVE-2013-1752 issues which were not fixed in 2.7.6. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
A CVE has been assigned for yet another zipfile issue in Python: http://openwall.com/lists/oss-security/2014/03/19/3 The upstream bug and commit to fix it are linked in the message above.
Summary: python new security issue CVE-2013-1753 => python new security issues CVE-2013-1753 and CVE-2013-7338
(In reply to David Walser from comment #1) > A CVE has been assigned for yet another zipfile issue in Python: > http://openwall.com/lists/oss-security/2014/03/19/3 > > The upstream bug and commit to fix it are linked in the message above. just when I finished the builds for all Mageia versions :( seems that I need another push
Status: NEW => ASSIGNED
(In reply to David Walser from comment #1) > A CVE has been assigned for yet another zipfile issue in Python: > http://openwall.com/lists/oss-security/2014/03/19/3 > > The upstream bug and commit to fix it are linked in the message above. Philippe has notified me that that one affects python3, not python. Moved to Bug 13052.
Summary: python new security issues CVE-2013-1753 and CVE-2013-7338 => python new security issue CVE-2013-1753
Suggested advisory: =================== Updated python packages fix security vulnerabilities: * upstream fix for CVE-2013-1752 : multiple unbound readline() DoS flaws in python stdlib * upstream fixes for CVE-2013-1753 : gzip bomb and unbound read DoS flaw in python XMLRPC library References: http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html Packages : libpython2.7-2.7.6-1.1.mga4 libpython-devel-2.7.6-1.1.mga4 tkinter-2.7.6-1.1.mga4 tkinter-apps-2.7.6-1.1.mga4 python-2.7.6-1.1.mga4 python-docs-2.7.6-1.1.mga4 libpython2.7-2.7.6-1.1.mga3 libpython-devel-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3 from : python-2.7.6-1.1.mga3.src python-2.7.6-1.1.mga4.src
Status: ASSIGNED => NEWAssignee: makowski.mageia => qa-bugs
CC: (none) => remiVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO
CC: (none) => makowski.mageiaHardware: i586 => AllVersion: 4 => 3
Version: 3 => 4Whiteboard: MGA4TOO => MGA3TOO
Thanks Philippe! Advisory: ======================== Updated python packages fix security vulnerabilities: Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules (CVE-2013-1752). A gzip bomb and unbound read denial of service flaw in python XMLRPC library (CVE-2013-1753). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753 http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html ======================== Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.1.mga3 libpython-devel-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3 libpython2.7-2.7.6-1.1.mga4 libpython-devel-2.7.6-1.1.mga4 tkinter-2.7.6-1.1.mga4 tkinter-apps-2.7.6-1.1.mga4 python-2.7.6-1.1.mga4 python-docs-2.7.6-1.1.mga4 from SRPMS: python-2.7.6-1.1.mga3.src.rpm python-2.7.6-1.1.mga4.src.rpm
Blocks: (none) => 12127
Tested on Mga3 32-bit using PySol, IDLE and a few simple scripts of my own with and without Tkinter. No regressions noticed. Will now test Mga4 32-bit. Carolyn
CC: (none) => cmrisoldeWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
Same as above for 64-bit except that I couldn't find IDLE - has it been dropped from Mageia? - so I used Eric instead. No regressions noticed. Carolyn
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA4-32-OK
It seems that IDLE is included in tkinter-apps (and tkinter3-apps for IDLE3).
Tested on Mga4 64-bit, including IDLE. It seems on Mga3 64-bit IDLE doesn't appear in the applications menu but it does on the others. My packages listed for update showed the name lib64python2.7..., the "64" seems to be missing in the above list of RPMs. Ditto for the devel one. No regressions noted. At the moment I can't test Mga3 64-bit, so I'll have to leave that one to someone else. Carolyn
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK
Tested mga3_64, Testing complete for python-2.7.6-1.1.mga3, nothing to report and seems work fine here with some packages who needed python. lib64python2.7-2.7.6-1.1.mga3 tkinter-2.7.6-1.1.mga3 tkinter-apps-2.7.6-1.1.mga3 python-2.7.6-1.1.mga3 python-docs-2.7.6-1.1.mga3
CC: (none) => geiger.david68210Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Advisory uploaded to svn. Validating the update. Someone from the sysadmin team please push 13041.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK 13041.advCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0139.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/591682/