Bug 28020 - python-py new security issue CVE-2020-29651
Summary: python-py new security issue CVE-2020-29651
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
: 28139 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-01-06 00:14 CET by David Walser
Modified: 2021-01-17 11:54 CET (History)
2 users (show)

See Also:
Source RPM: python3-py-1.9.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-01-06 00:14:33 CET
Fedora has issued an advisory today (January 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/

The issue is fixed upstream in 1.10.0.

Mageia 7 is also affected.
David Walser 2021-01-06 00:14:46 CET

Status comment: (none) => Fixed upstream in 1.10.0
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2021-01-06 01:45:04 CET
fixed in cauldron and new rpm pushed in mga7

src:
     python-py-1.8.0-1.1.mga7

Assignee: python => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 2 David Walser 2021-01-06 01:57:22 CET
Advisory:
========================

Updated python-py packages fix security vulnerability:

A denial of service via regular expression in the py.path.svnwc component of
python-py through 1.9.0 could be used by attackers to cause a compute-time
denial of service attack by supplying malicious input to the blame
functionality (CVE-2020-29651).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29651
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
========================

Updated packages in core/updates_testing:
========================
python2-py-1.8.0-1.1.mga7
python3-py-1.8.0-1.1.mga7
python-py-doc-1.8.0-1.1.mga7

from python-py-1.8.0-1.1.mga7.src.rpm

Status comment: Fixed upstream in 1.10.0 => (none)

Comment 3 Zombie Ryushu 2021-01-17 11:54:24 CET
*** Bug 28139 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu


Note You need to log in before you can comment on or make changes to this bug.