RedHat has issued an advisory on May 7: https://access.redhat.com/errata/RHSA-2019:1022 The issue is fixed upstream in 2.8.1.
Fixed for mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated python-jinja2 packages fix security vulnerability: Sandbox escape due to information disclosure via str.format (CVE-2016-10745). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745 https://access.redhat.com/errata/RHSA-2019:1022 ======================== Updated packages in core/updates_testing: ======================== python-jinja2-2.8.1-1.mga6 python3-jinja2-2.8.1-1.mga6 from python-jinja2-2.8.1-1.mga6.src.rpm
Assignee: bugsquad => qa-bugs
RedHat has issued an advisory today (May 13): https://access.redhat.com/errata/RHSA-2019:1152 The issue is fixed upstream in 2.10.1.
Summary: python-jinja2 new security issue CVE-2016-10745 => python-jinja2 new security issues CVE-2016-10745 and CVE-2019-10906Assignee: qa-bugs => geiger.david68210CC: (none) => qa-bugs
Advisory: ======================== Updated python-jinja2 packages fix security vulnerabilities: Sandbox escape due to information disclosure via str.format (CVE-2016-10745). str.format_map allows sandbox escape (CVE-2019-10906). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906 https://access.redhat.com/errata/RHSA-2019:1022 https://access.redhat.com/errata/RHSA-2019:1152 ======================== Updated packages in core/updates_testing: ======================== python-jinja2-2.10.1-1.mga6 python3-jinja2-2.10.1-1.mga6 from python-jinja2-2.10.1-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: qa-bugs => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Followed test as per bug 12265, the test file and Comment 9. At CLI: $ python test.py Hello. If you see this with no errors then it worked :) but as this update is also on python3: $ python3 test.py File "test.py", line 4 print output ^ SyntaxError: Missing parentheses in call to 'print' I am not fluent at python and lack the time now to look into it, so abandoning for now until later or someone else picks the python3 issue up.
CC: (none) => herman.viaene
Rplying to Herman comment 6: Yes, the parentheses are required in python3. It is better to write scripts eith print( whatever ) for either version of python because python2.7 izaccepts both forms. Not in a position to do much testing these days but may pick it up later. Len
CC: (none) => tarazed25
Changed the test file following Len's hint. Now I get. $ python test.py Hello. If you see this with no errors then it worked :) and $ python3 test.py Hello. If you see this with no errors then it worked :) So OK for me, I will upload the adapted test.py file.
Whiteboard: (none) => MGA6-32-OK
Created attachment 11000 [details] file adapted to python and python3
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0177.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED