SUSE has issued advisories on February 25 and 27 (today): http://lists.suse.com/pipermail/sle-security-updates/2020-February/006520.html http://lists.suse.com/pipermail/sle-security-updates/2020-February/006545.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered maintainers for these, so assigning globally; CC'ing a couple of packagers who have committed them recently.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, thierry.vignaud
I just remembered there is a Python group.
Assignee: pkg-bugs => python
openSUSE has issued an advisory for this on March 2 (for python3): https://lists.opensuse.org/opensuse-updates/2020-03/msg00013.html
Ubuntu has issued an advisory for CVE-2020-8492 on April 21: https://usn.ubuntu.com/4333-1/ Note that we are not vulnerable to CVE-2019-18348 because it was fixed in glibc.
openSUSE advisory for python CVE-2019-9674 from May 23: https://lists.opensuse.org/opensuse-updates/2020-05/msg00109.html
Blocks: (none) => 26894
IIUC there's no real fix for CVE-2019-9674, yet. Only a documentation update. Upstream bug report: https://bugs.python.org/issue36260.
CC: (none) => jani.valimaa
Yes sometimes a documentation update is the only fix we get.
Ubuntu has issued an advisory on July 22: https://ubuntu.com/security/notices/USN-4428-1 It adds some new CVEs and we now see that all of them also affect Python 2.7. CVE-2019-17514 is only a documentation fix, but that's fine. According to Ubuntu, CVE-2020-15801 that I mentioned below is Windows-specific: https://bugs.mageia.org/show_bug.cgi?id=26894#c5 I'm not sure if these affect Python 2.7: BPO-39603 BPO-41288 I'm also closing Bug 26894 and merging it into this one. So python3 in Cauldron should have all of these fixed, but python (2.7) still needs fixed, as does Mageia 7.
Summary: python/python3 new security issues CVE-2019-9674 and CVE-2020-8492 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422
*** Bug 26894 has been marked as a duplicate of this bug. ***
Blocks: 26894 => (none)
So CVE-2019-9674, CVE-2019-20907 and CVE-2020-8492 are now applied in python-2.7.18-2.mga8. BPO-39603 and BPO-41288 seems not affect python 2.7
I added the fix for CVE-2019-17514 in python (2.7) and it looks like CVE-2020-14422 actually does not affect it.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Fedora has issued an advisory on October 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/ It fixes a new issue, CVE-2020-26116, in Python 2. It's already fixed in python3 3.8.5 in Cauldron (but will need to be fixed in python3 in Mageia 7 as well).
Version: 7 => CauldronWhiteboard: (none) => MGA7TOOSummary: python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422, CVE-2020-26116
Ubuntu has issued an advisory for the new issue today (October 14): https://ubuntu.com/security/notices/USN-4581-1
RedHat has issued an advisory for python2 today (October 20): https://access.redhat.com/errata/RHSA-2020:4273
RedHat has issued an advisory for python3 on October 20: https://access.redhat.com/errata/RHSA-2020:4299
RedHat has issued an advisory for python3 on November 3: https://access.redhat.com/errata/RHSA-2020:4433
So CVE-2019-9674, CVE-2019-20907, CVE-2020-8492, CVE-2019-17514 and CVE-2020-26116 are now applied in python-2.7.18-1.1.mga7 And also CVE-2020-26116 now applied in python-2.7.18-5.mga8
New python3-3.7.9-1.mga7 should also fix all security issues.
Package list below. Advisory to come later. python-2.7.18-1.1.mga7 libpython2.7-2.7.18-1.1.mga7 libpython2.7-stdlib-2.7.18-1.1.mga7 libpython2.7-testsuite-2.7.18-1.1.mga7 libpython-devel-2.7.18-1.1.mga7 python-docs-2.7.18-1.1.mga7 tkinter-2.7.18-1.1.mga7 tkinter-apps-2.7.18-1.1.mga7 python3-3.7.9-1.mga7 libpython3.7-3.7.9-1.mga7 libpython3.7-stdlib-3.7.9-1.mga7 libpython3.7-testsuite-3.7.9-1.mga7 libpython3-devel-3.7.9-1.mga7 python3-docs-3.7.9-1.mga7 tkinter3-3.7.9-1.mga7 tkinter3-apps-3.7.9-1.mga7 from SRPMS: python-2.7.18-1.1.mga7.src.rpm python3-3.7.9-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: python => qa-bugs
Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: It was discovered that incorrectly handled certain ZIP files. An attacker could possibly use this issue to cause a denial of service (CVE-2019-9674). It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information (CVE-2019-17514). It was discovered that Python incorrectly handled certain TAR archives. An attacker could possibly use this issue to cause a denial of service (CVE-2019-20907). It was discovered that Python incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service (CVE-2020-8492). It was discovered that Python incorrectly handled certain IP values. An attacker could possibly use this issue to cause a denial of service (CVE-2020-14422). It was discovered that Python incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection (CVE-2020-26116). The CVE-2020-14422 issue only affected python3. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116 https://ubuntu.com/security/notices/USN-4428-1 https://ubuntu.com/security/notices/USN-4333-1 https://ubuntu.com/security/notices/USN-4581-1
MGA7-64 MATE on Peaq C1011 Installation: I had to remove python2-numpy-f2py and python3-numpy-f2py, as these where blocking the installation of this lot (probably left-overs from other tests). But that could thus occur in "real life". Continuing tests later.
CC: (none) => herman.viaene
Looked into the testsuite files and went for: $ cd /usr/lib64/python2.7/test/ Many of those py-files doe not give any feedback when ruuning at the CLI, but some do: $ python2 pystone.py Pystone(1.1) time for 50000 passes = 1.61624 This machine benchmarks at 30936 pystones/second $ python2 regrtest.py == CPython 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0] == Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian == /tmp/test_python_31973 == CPU count: 4 Run tests sequentially 0:00:00 load avg: 0.00 [ 1/404] test_grammar 0:00:00 load avg: 0.00 [ 2/404] test_opcodes 0:00:00 load avg: 0.00 [ 3/404] test_dict 0:00:00 load avg: 0.00 [ 4/404] test_builtin 0:00:00 load avg: 0.00 [ 5/404] test_exceptions 0:00:01 load avg: 0.00 [ 6/404] test_types and that goes on and on.... Interrupted with CTRL-C and got: == Tests result: INTERRUPTED == Test suite interrupted by signal SIGINT. 294 tests omitted: test_dircache test_dis test_distutils test_dl test_docxmlrpc test_dumbdbm test_dummy_thread test_dummy_threading test_email and a long list ...., but finally 97 tests OK. 13 tests skipped: test_aepack test_al test_applesingle test_bsddb185 test_bsddb3 test_cd test_cl test_codecmaps_cn test_codecmaps_hk test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses Those skips are all expected on linux2. Total duration: 1 min 52 sec Tests result: INTERRUPTED Did one more $ python2 sortperf.py i 2**i *sort \sort /sort 3sort +sort %sort ~sort =sort !sort 15 32768 0.03 0.00 0.00 0.00 0.00 0.01 0.01 0.00 0.01 16 65536 0.07 0.01 0.01 0.01 0.01 0.01 0.03 0.01 0.02 17 131072 0.16 0.02 0.02 0.02 0.02 0.03 0.06 0.02 0.04 18 262144 0.39 0.04 0.04 0.04 0.04 0.07 0.13 0.04 0.09 19 524288 0.88 0.09 0.08 0.09 0.09 0.14 0.27 0.08 0.18 20 1048576 1.96 0.18 0.18 0.18 0.18 0.30 0.56 0.17 0.37 No idea what it means, but at least it colmpletes normally. Having a look at python3 now.
$ cd /usr/lib64/python3.7/test/ $ python3 final_a.py x = a final_b.x = b shutil.rmtree = rmtree len = len x = a final_b.x = b shutil.rmtree = rmtree len = len x = b final_a.x = a shutil.rmtree = rmtree len = len x = b final_a.x = a shutil.rmtree = rmtree len = len x = a final_b.x = b shutil.rmtree = rmtree len = len x = a final_b.x = b shutil.rmtree = rmtree len = len $ python3 regrtest.py == CPython 3.7.9 (default, Nov 20 2020, 08:02:31) [GCC 8.4.0] == Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian == cwd: /tmp/test_python_960 == CPU count: 4 == encodings: locale=UTF-8, FS=utf-8 0:00:00 load avg: 0.71 Run tests sequentially 0:00:00 load avg: 0.71 [ 1/416] test_grammar 0:00:00 load avg: 0.71 [ 2/416] test_opcodes 0:00:00 load avg: 0.71 [ 3/416] test_dict 0:00:01 load avg: 0.71 [ 4/416] test_builtin 0:00:02 load avg: 0.71 [ 5/416] test_exceptions 0:00:05 load avg: 0.73 [ 6/416] test_types 0:00:05 load avg: 0.73 [ 7/416] test_unittest 0:00:14 load avg: 0.85 [ 8/416] test_doctest ********************************************************************** File "/usr/lib64/python3.7/test/test_doctest.py", line 2237, in test.test_doctest.test_DocFileSuite Failed example: suite = doctest.DocFileSuite('test_doctest.txt', 'test_doctest2.txt', 'test_doctest4.txt', package='test') and some more, stopped again with CTRL-C and get at the end 8 tests OK. 2 tests failed: test_doctest test_support Total duration: 20.6 sec Tests result: FAILURE, INTERRUPTED $ python3 test_abc.py ................................................ ---------------------------------------------------------------------- Ran 48 tests in 0.044s OK $ python3 test_abstract_numbers.py ... ---------------------------------------------------------------------- Ran 3 tests in 0.002s OK $ python3 sortperf.py i 2**i *sort \sort /sort 3sort +sort %sort ~sort =sort !sort 15 32768 0.01 0.00 0.00 0.00 0.00 0.00 0.01 0.00 0.00 16 65536 0.03 0.01 0.01 0.01 0.01 0.01 0.01 0.00 0.00 17 131072 0.08 0.01 0.01 0.02 0.01 0.02 0.02 0.00 0.01 18 262144 0.19 0.03 0.03 0.03 0.03 0.05 0.04 0.01 0.01 19 524288 0.45 0.06 0.06 0.06 0.06 0.10 0.08 0.01 0.02 20 1048576 1.05 0.13 0.12 0.13 0.13 0.21 0.16 0.02 0.04 I guess even with the failures, the thing is working quite well, but I wonder whether we can let this go as is with the installation issue I found.
Status of this?
CC: (none) => ouaurelien
Well, to me it works quite well, but I am left in the dark with my question on Comment 21, as this is an installation issue, not about the working of the item.
This update is only patched, no packaging regressions, so you can OK it and file a bug for the conflict.
Regarding comment 21, # urpmi --test python2-scipy python3-scipy ends with ... Installation is possible That's with python-2.7.18-1.1.mga7.x86_64 and python3-3.7.9-1.mga7 already installed. Oking and validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_update
Thanks for advice. Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0451.html
Status: NEW => RESOLVEDResolution: (none) => FIXED