Debian has issued an advisory on September 28: https://www.debian.org/security/2018/dsa-4307 The python package is also affected (Bug 23061). Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 3.6.7 and 3.7.1
Fedora has issued an advisory for this on October 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/
Fixed upstream in 3.6.7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZCWZOKASFWYJPJY3DFOWRX56HX5TV76/
release 3.6.7 already in Cauldron!
CC: (none) => geiger.david68210
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
3.7.2 also fixes two security issues that also affect older versions: https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-2-release-candidate-1 https://bugs.python.org/issue34812 https://bugs.python.org/issue34791
Fedora has issued an advisory on January 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KQAHRQV4GLSC4MKWUVJELXIIHJ44VI5P/ It fixes one new issue (patch pushed in Cauldron).
Summary: python3 new security issue CVE-2018-14647 => python3 new security issues CVE-2018-14647 and CVE-2019-5010
SUSE has issued an advisory on January 31: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005071.html The new issue, CVE-2018-20406, was fixed in 3.7.1 (so Cauldron is OK).
Summary: python3 new security issues CVE-2018-14647 and CVE-2019-5010 => python3 new security issues CVE-2018-14647, CVE-2018-20406, and CVE-2019-5010
3.7.3 fixes CVE-2019-5010 (already patched in Cauldron) and two other issues: https://bugs.python.org/issue36216 https://bugs.python.org/issue35121
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-3-release-candidate-1
Fedora has issued an advisory on March 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/ It fixes one new, high-severity security issue. They also patched for the CVE in Comment 7.
Version: 6 => CauldronSeverity: normal => criticalWhiteboard: (none) => MGA6TOOSummary: python3 new security issues CVE-2018-14647, CVE-2018-20406, and CVE-2019-5010 => python3 new security issues CVE-2018-14647, CVE-2018-20406, CVE-2019-5010, CVE-2019-9636
CC: (none) => makowski.mageiaAssignee: makowski.mageia => python
Fedora advisory for Python 3.5, which may help us for Mageia 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
Official 3.5.7 and 3.7.3 releases: https://pythoninsider.blogspot.com/2019/03/python-3.html https://pythoninsider.blogspot.com/2019/03/python-373-is-now-available.html
Fedora update to 3.5.7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
python 3.7.3 submitted on Cauldron!
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Status comment: Fixed upstream in 3.6.7 and 3.7.1 => Fixed upstream in 3.5.7 and 3.7.3
python 3.5.7 submitted on mga6!
Advisory: ======================== Updated python3 packages fixes security vulnerabilities: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM (CVE-2018-14647). Modules/_pickle.c in Python before 3.5.7 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data (CVE-2018-20406). A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities (CVE-2019-5010). A vulnerability was found in Python 3.x through 3.5.7. An improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly (CVE-2019-9636). The python3 package has been updated to version 3.5.7, fixing these and other issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636 https://pythoninsider.blogspot.com/2019/03/python-3.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/ ======================== Updated packages in core/updates_testing: ======================== python3-3.5.7-1.mga6 libpython3.5-3.5.7-1.mga6 libpython3.5-stdlib-3.5.7-1.mga6 libpython3.5-testsuite-3.5.7-1.mga6 libpython3-devel-3.5.7-1.mga6 python3-docs-3.5.7-1.mga6 tkinter3-3.5.7-1.mga6 tkinter3-apps-3.5.7-1.mga6 from python3-3.5.7-1.mga6.src.rpm
Assignee: python => qa-bugs
mga6, x86_64 Checked the CVE links but found no POC. python3 used by: blender, cantor, glom, net_monitor, onboard, pitivi, sigil and virtualbox amongst others. Updated the packages. Ran blender under strace and found multiple references to lib64/python3.5. Invoked cantor and specified the python3 backend. Presented with a worksheet containing the python command prompt. Installed onboard and invoked it under strace. It presented a very neat onscreen keyboard which responded to mouse-clicks by echoing the key value to the last terminal raised. The trace contained numerous references to lib64/python3.5. This looks good for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0135.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED