Ubuntu has issued an advisory on October 9: https://usn.ubuntu.com/4151-1/ Cauldron is not affected for python3. Mageia 7 is affected for both.
Whiteboard: (none) => MGA7TOO
Assigning to python stack group. Neither python nor python3 have specific maintainers.
Assignee: bugsquad => python
Is these security issues fixed in 3.7.5 release? if yes should we go with this release?
CC: (none) => geiger.david68210
It looks like both fixes are in 3.7.5.
done!
Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied (CVE-2019-16056). It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack (CVE-2019-16935). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935 https://usn.ubuntu.com/4151-1/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.17-1.1.mga7 libpython2.7-2.7.17-1.1.mga7 libpython2.7-stdlib-2.7.17-1.1.mga7 libpython2.7-testsuite-2.7.17-1.1.mga7 libpython-devel-2.7.17-1.1.mga7 python-docs-2.7.17-1.1.mga7 tkinter-2.7.17-1.1.mga7 tkinter-apps-2.7.17-1.1.mga7 python3-3.7.5-1.mga7 libpython3.7-3.7.5-1.mga7 libpython3.7-stdlib-3.7.5-1.mga7 libpython3.7-testsuite-3.7.5-1.mga7 libpython3-devel-3.7.5-1.mga7 python3-docs-3.7.5-1.mga7 tkinter3-3.7.5-1.mga7 tkinter3-apps-3.7.5-1.mga7 from SRPMS: python-2.7.17-1.1.mga7.src.rpm python3-3.7.5-1.mga7.src.rpm
Version: Cauldron => 7Assignee: python => qa-bugsWhiteboard: MGA7TOO => (none)
Mageia7, x86_64 Installed missing python packages wrt the updates list. Found a POC for CVE-2019-16935 https://bugs.python.org/issue38243 Not at all sure how to run this: Launched Chromium browser. $ python poc.py In the browser at localhost:8000 "python says 1 " then " test<script> test<script> Methods" The "1" seems to correspond to the 1 in the code. Updated the packages. Ran the POC again. Launched chromium browser and saw the same display at localhost:8000. No idea what is going on here so can make no comment about the POC results. Tested python2.7 by running calibre under strace. The output showed many references to python2.7/site-packages. The application runs fine. Also ran a simple test script to put python through its paces at an elementary level, including trapping a divide-by-zero floating point exception and prompting for user input. Ran a similar test for python3 but had to remove the user interaction because it seems to work differently in python3. Ran a few utility scripts for both versions of python - all worked fine. This looks good for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
David Geiger, can we address Bug 24997?
Keywords: (none) => feedback
(In reply to David Walser from comment #7) > David Geiger, can we address Bug 24997? Yes these security fixes seems also fixed in python 3.7.5 and python 2.7.17
(In reply to David GEIGER from comment #8) > (In reply to David Walser from comment #7) > > David Geiger, can we address Bug 24997? > > Yes these security fixes seems also fixed in python 3.7.5 and python 2.7.17 Good, flushing out then
Keywords: feedback => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0318.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Thanks. We should have added those to the advisory though.
Blocks: (none) => 24997
(In reply to David Walser from comment #11) > Thanks. We should have added those to the advisory though. We can add them to the advisory on advisories.mageia.org if someone writes what are missing.
(In reply to Thomas Backlund from comment #12) > (In reply to David Walser from comment #11) > > Thanks. We should have added those to the advisory though. > > We can add them to the advisory on advisories.mageia.org if someone writes > what are missing. https://bugs.mageia.org/show_bug.cgi?id=24997#c5
(In reply to David Walser from comment #13) > (In reply to Thomas Backlund from comment #12) > > (In reply to David Walser from comment #11) > > > Thanks. We should have added those to the advisory though. > > > > We can add them to the advisory on advisories.mageia.org if someone writes > > what are missing. > > https://bugs.mageia.org/show_bug.cgi?id=24997#c5 Advisory updated.
This update also fixed CVE-2018-20852: https://lists.opensuse.org/opensuse-updates/2019-08/msg00178.html