openSUSE has issued an advisory on September 1: https://lists.opensuse.org/opensuse-updates/2019-08/msg00221.html
CC: (none) => geiger.david68210, jani.valimaa
Summary: python-sqlalchemy new security issues => python-sqlalchemy new security issues CVE-2019-7164 and CVE-2019-7548
Assigning to philippem as the relevant registered maintainer.
Assignee: bugsquad => makowski.mageia
I thought he left Mageia.
Done updating to latest 1.2.19 release from 1.2.x branch and adding a debian patch!
Advisory: ======================== Updated python-sqlalchemy packages fix security vulnerabilities: SQL Injection via the order_by parameter (CVE-2019-7164). SQL Injection via the group_by parameter (CVE-2019-7548). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548 https://lists.opensuse.org/opensuse-updates/2019-08/msg00221.html ======================== Updated packages in core/updates_testing: ======================== python2-sqlalchemy-1.2.19-1.mga7 python3-sqlalchemy-1.2.19-1.mga7 from python-sqlalchemy-1.2.19-1.mga7.src.rpm
Assignee: makowski.mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Ref to bug 1738 Comment 5 for testing,(gourmet appears in the required list forpython2-sqlalchemy) so installed gourmet and imported recipe $ gourmet Gtk-Message: 10:59:02.350: Failed to load module "canberra-gtk-module" No gst player No windows player CONTENT TYPE = text/html; charset=UTF-8 emit ('completed',) emit ('done',) Doing import of http://www.canadianwineguy.com/2007/08/07/chili-recipe/ <web_import_plugin.generic_web_importer_plugin.GenericWebImporter instance at 0x7f89bc4370a0> HERE's the data we got: <!DOCTYPE html> <html lang="en-US"> and a lot more feedback as operations progressed. Created a shopping list, tried out the units converter, but couldn't get this one to change the units in a shopping list or a displayed recipe, but that is probably just me... Used anki to test python3-sqlalchemy, also works OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
(In reply to Herman Viaene from comment #5) > Used anki to test python3-sqlalchemy, also works OK. Herman, did you use anki before or after updating the glib packages in Bug 25276? If after, I believe it should count as a test of those packages too, and enough verification to give that bug an OK and send it on its way. See Bug 25525 for further information.
CC: (none) => andrewsfarm
Since this is listed as a critical update, I'm sending it along rather than wait for the answer to the question I posed in Comment 6. Herman, if you could try anki as part of a test for Bug 25276, I'd appreciate it. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0350.html
Status: NEW => RESOLVEDResolution: (none) => FIXED