Fedora has issued an advisory on September 13: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138701.html It looks like we fixed CVE-2013-4347 in Bug 11224, but didn't fix CVE-2013-4346 at that time, but Fedora's advisory says both were fixed, thanks to Philippe Makowski. So either they were mistaken or there's another patch we can use. Reproducible: Steps to Reproduce:
(In reply to David Walser from comment #0) > Fedora has issued an advisory on September 13: > https://lists.fedoraproject.org/pipermail/package-announce/2014-September/ > 138701.html > > It looks like we fixed CVE-2013-4347 in Bug 11224, but didn't fix > CVE-2013-4346 at that time, but Fedora's advisory says both were fixed, > thanks to Philippe Makowski. > we did "mga 11224 multiple vulnerabilities in python-oauth2 (CVE-2013-4346, CVE-2013-4347" http://svnweb.mageia.org/packages/updates/3/python-oauth2/current/SPECS/python-oauth2.spec?r1=417316&r2=532500 in fact, Fedora applied my patches, but read https://bugs.mageia.org/show_bug.cgi?id=11224#c13, we choose to do nothing for CVE-2013-4346
Yes I know all of that. What I'm asking is, did Fedora actually do something for CVE-2013-4346 (i.e., is there something we *can* do), or were they mistaken in including that CVE in their advisory?
They didn't mistaken, they applied my fix, and we decided to not apply it. so they are right to say that they fixed CVE-2013-4346 , even if we decided that we can't because we didn't want what Claire qualified as "Some regression". As I said : "if someone want to use this skeletal implementation, he have to be aware of CVE-2013-4346 and take care of this in his own code."
OK.
Status: NEW => RESOLVEDResolution: (none) => WONTFIX