Fedora has issued advisory on August 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZUW7L4QUAC5FZ6DWR4NL7TNTEM73DQYU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2YW45Y2P67PX7CI2K6WVFJTQTUIO452O/ This is another instance of the "httpoxy" problem.
CVE: (none) => CVE-2016-1000110Version: Cauldron => 5
Python3 and Python updated in Cauldron Advisory: ======================== Updated python and python3 packages fix security vulnerability: Fix for CVE-2016-1000110 HTTPoxy attack Many software projects and vendors have implemented support for the âProxyâ request header in their respective CGI implementations and languages by creating the âHTTP_PROXYâ environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. References: https://bugzilla.redhat.com/show_bug.cgi?id=1359175 http://lwn.net/Vulnerabilities/697141/ https://bugs.python.org/issue27568 ======================== Updated packages in core/updates_testing: ======================== python3-3.4.3-1.5.mga5 libpython3.4-3.4.3-1.5.mga5.i586 libpython3-devel-3.4.3-1.5.mga5 python3-docs-3.4.3-1.5.mga5 tkinter3-3.4.3-1.5.mga5 tkinter3-apps-3.4.3-1.5.mga5 python-2.7.9-2.4.mga5 libpython2.7-2.7.9-2.4.mga5 libpython-devel-2.7.9-2.4.mga5 python-docs-2.7.9-2.4.mga5 tkinter-2.7.9-2.4.mga5 tkinter-apps-2.7.9-2.4.mga5 from python3-3.2.3-1.3.mga5.src.rpm python-2.7.9-2.4.mga5.src.rpm
Assignee: makowski.mageia => qa-bugs
Created attachment 8350 [details] test case
before update : $ python CVE-2016-1000110.py F ====================================================================== FAIL: test_proxy_cgi_ignore (__main__.TestCVE) ---------------------------------------------------------------------- Traceback (most recent call last): File "CVE-2016-1000110.py", line 23, in test_proxy_cgi_ignore self.assertNotIn('http', proxies) AssertionError: 'http' unexpectedly found in {'http': 'http://somewhere:3128'} ---------------------------------------------------------------------- Ran 1 test in 0.000s FAILED (failures=1) $ python3 CVE-2016-1000110.py F ====================================================================== FAIL: test_proxy_cgi_ignore (__main__.TestCVE) ---------------------------------------------------------------------- Traceback (most recent call last): File "CVE-2016-1000110.py", line 23, in test_proxy_cgi_ignore self.assertNotIn('http', proxies) AssertionError: 'http' unexpectedly found in {'http': 'http://somewhere:3128'} ---------------------------------------------------------------------- Ran 1 test in 0.001s FAILED (failures=1) after update : $ python CVE-2016-1000110.py . ---------------------------------------------------------------------- Ran 1 test in 0.000s OK $ python3 CVE-2016-1000110.py . ---------------------------------------------------------------------- Ran 1 test in 0.001s OK
CC: (none) => makowski.mageiaWhiteboard: (none) => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Advisory seems to list wrong package: Checking SRPMs⦠â (5/core/python3-3.2.3-1.3.mga5)
CC: (none) => pterjan
Advisory fixed, there was a typo in comment 1 which was reproduced in SVN.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0296.html
Status: NEW => RESOLVEDResolution: (none) => FIXED