RedHat has issued an advisory today (May 12): https://access.redhat.com/errata/RHSA-2020:2081 Details are in the RedHat bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1778105#c2 https://bugzilla.redhat.com/show_bug.cgi?id=1778103#c2
python-virtualenv-16.1.0-3.1.mga7 submitted to mga7 update_testing by applying Red Hat patch.
Status: NEW => ASSIGNEDAssignee: python => qa-bugsCC: (none) => bruno
Looks like CVE-2018-20060 and CVE-2019-11236 are in the patch Bruno added, but not CVE-2018-18074. See here for the missing patch: https://git.centos.org/rpms/python-virtualenv/c/978cfa779ba16e6eae9e61dcdbe004039db62731?branch=c7
Keywords: (none) => feedback
Status comment: (none) => CVE-2018-18074 to be addressed
That patch doesn't apply at all to our source code base as the 2 files it tries to patch do not exist in our tree, nor the class modified. Is python-requests bundled in this version really ? (THe function get_redirect_target e.g. is not in our source tree)
OK, looking closer at this, the patch you added just creates two patch files, but it doesn't actually apply them to anything. However, since the SPEC deletes the wheel files that the patches would be applied to, I think that just gets rid of all the bundled stuff, and this bug is INVALID. Am I missing something?
Status comment: CVE-2018-18074 to be addressed => Possibly invalid as bundled wheels are removed during buildAssignee: qa-bugs => pythonKeywords: feedback => (none)
That's also my understanding, the last CVE mentionned 2018-18074 doesn't seem to be relevant to this version in mga7. My recommendation would be to test the update made earlier to check if possible it fixes the other issues and even check this one is not an issue with it.
I'll just close this.
Status: ASSIGNED => RESOLVEDResolution: (none) => INVALID
Shouldn't we move that BR to QA so they can validate the update fixing CVE-2018-20060 and CVE-2019-11236 ?
Status: RESOLVED => REOPENEDResolution: INVALID => (none)
No, like I said, you just added a patch that creates two patch files. You didn't actually apply the patches to anything. It looks like what you would apply them to gets removed.
Resolution: (none) => INVALIDStatus: REOPENED => RESOLVED
THere were 2 patches in discussion here. One coming from Red Hat I applied and which is fixing CVE-2018-20060 and CVE-2019-11236 (your commnet of the 5th of january upper) and the last one frmo centos which is useless for our version. So IMHO we still need to validate the python-virtualenv-16.1.0-3.1.mga7 package. Is there another BR which is tracing that allowing to close this one ?
Resolution: INVALID => (none)Status: RESOLVED => REOPENED
Assignee: python => qa-bugs
Bruno, please take another look at what you did here: http://svnweb.mageia.org/packages?view=revision&revision=1668929 As I said Comment 4 and Comment 8, you did not patch anything. Your patch just creates two patch files, which are not applied to anything. There is, in fact, nothing to apply them to.
Ok, so I understand the issue. I had not pushed the second patch into SVN and I now realize that none of the 2 patches I wanted to add are working for this version. Apology for this. However, now I need to revert the SVN state to where it was before in order to avoid future issues. Thanks for your help.
Yeah, no problem. Thank you too for all the python fixes.