A CVE has been assigned for SSL certification verification issues in Python: http://openwall.com/lists/oss-security/2014/12/11/7 The issue is fixed upstream in 2.7.9 and will be fixed in 3.4.3. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
link to Python bug : http://bugs.python.org/issue22417 seems that the fix for Python 3.4 is that one : https://hg.python.org/cpython/rev/731375f83406 Python 2.7 have been updated to 2.7.9 in Cauldron and Mga4
Did you ever find out from upstream an ETA on the 3.4.3 release? Do you just want to patch python3?
ETA is here: https://www.python.org/dev/peps/pep-0429/#id2
CC: (none) => mageia
Ahh nice, Feb 22. Thanks Sander!
Philippe, I just checked and 3.4.3 is available upstream. Please update it :o)
ok for mga5, but for mga4 I have to find a way to patch 3.3.x
Sorry I think that for Mga4 and Python 3.3.x, I will say as Debian "Too intrusive to backport" https://security-tracker.debian.org/tracker/CVE-2014-9365 That's too much work and I'm not sure of the result.
OK. We should probably note this in the update advisory.
some links : https://lwn.net/Articles/611243/ https://bugzilla.redhat.com/show_bug.cgi?id=1173041 python3* 3.4.3 is in svn now for cauldron freeze push asked
Blocks: (none) => 14674
Python3 3.4.3 uploaded for Cauldron. Python 2.7.9 uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated python packages fix security vulnerability: When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking (CVE-2014-9365). Note that this issue also affects python3, and is fixed upstream in version 3.4.3, but the fix was considered too intrusive to backport to Python3 3.3.x. No update for the python3 package for this issue is planned at this time. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365 https://bugzilla.redhat.com/show_bug.cgi?id=1173041 ======================== Updated packages in core/updates_testing: ======================== libpython-devel-2.7.9-1.mga4 libpython2.7-2.7.9-1.mga4 python-2.7.9-1.mga4 python-docs-2.7.9-1.mga4 tkinter-2.7.9-1.mga4 tkinter-apps-2.7.9-1.mga4 from python-2.7.9-1.mga4.src.rpm
CC: (none) => makowski.mageiaVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO => (none)Severity: normal => major
Note that the updated python package was built about three weeks ago. I have been running the updated packages on several machines since that time with no issues. The package also has a build-time test suite.
Testing complete mga4 64 Tested with various python scripts in idle.
Whiteboard: (none) => has_procedure mga4-64-ok
Were your tests 32bit David?
Tested mga4_32, Testing complete for python-2.7.9-1.mga4, all works fine here. Testing with some scripts, with some software using python2 and building some packages needing python2-devel.
CC: (none) => geiger.david68210Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #13) > Were your tests 32bit David? Yes, as always :o) Thanks Claire, David, and Philippe!
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0091.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/635768/