Alvaro Munoz and Christian Schneider discovered that jython, an implementation of the Python language seamlessly integrated with Java, is prone to arbitrary code execution triggered when sending a serialized function to the deserializer.
Are we affected? We have jython-2.2.1-18.mga5 in stable and jython-2.7-3.mga6 in cauldron
Whiteboard: (none) => MGA5TOO??Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11
The actual source of this bug is a Debian advisory from June 22: https://www.debian.org/security/2017/dsa-3893 I don't see any information saying that certain versions aren't vulnerable, so I'd assume Mageia 5 and Cauldron both are affected.
Whiteboard: MGA5TOO?? => MGA5TOOSource RPM: jython => jython-2.7-3.mga6.src.rpmCC: (none) => luigiwalserSummary: jython security vulnerability CVE-2016-4000 => jython new security issue CVE-2016-4000URL: http://www.linuxsecurity.com/content/view/171882/ => (none)
Should this hold up the release of M6?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > Should this hold up the release of M6? Please don't go around wasting our time posting that to every security bug.
I just wanted to note that Nicolas backported a patch from Debian to fix this in Cauldron, but the build failed with a weird error.
jython-2.7-4.mga6 uploaded for Cauldron by Nicolas and David. Thanks!
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
For mga5 I think that our 2.2.1 release is not affected, there are some missing files between the source tarball and the patch, I think also that this version is very very too old. Also any others distributions have not fixed this CVE for the 2.2.1 release.
Thanks. We can reopen if someone fixes it for 2.2.1.
Status: NEW => RESOLVEDResolution: (none) => FIXEDVersion: 5 => Cauldron