Python 3.7.10 and 3.8.8 have been released on February 15 and 19: https://blog.python.org/2021/02/python-3710-and-3613-security-updates.html https://blog.python.org/2021/02/python-392-and-388-are-now-available.html We already fixed CVE-2021-3177 in Bug 28204. Mageia 7 is also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOO
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => pythonCC: (none) => ouaurelienSource RPM: python3-3.8.7-1.mga8.src.rpm, python-2.7.18-6.mga8.src.rpm => python3-3.8.7-1.mga8.src.rpm python-2.7.18-6.mga8.src.rpm
python3-3.8.8-1.mga9 uploaded for Cauldron by Jani.
CC: (none) => jani.valimaa
Jani has also built a python3 update for Mageia 7 and Mageia 8, python update still needed. python3-3.7.10-1.mga7 libpython3.7-3.7.10-1.mga7 libpython3.7-stdlib-3.7.10-1.mga7 libpython3.7-testsuite-3.7.10-1.mga7 libpython3-devel-3.7.10-1.mga7 python3-docs-3.7.10-1.mga7 tkinter3-3.7.10-1.mga7 tkinter3-apps-3.7.10-1.mga7 python3-3.8.8-1.mga8 libpython3.8-stdlib-3.8.8-1.mga8 libpython3.8-3.8.8-1.mga8 libpython3-devel-3.8.8-1.mga8 tkinter3-apps-3.8.8-1.mga8 tkinter3-3.8.8-1.mga8 libpython3.8-testsuite-3.8.8-1.mga8 python3-docs-3.8.8-1.mga8
Fedora has issued an advisory for python3 on February 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
and on February 24 (previous was 3.7, this is 3.8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/
Fixed in mga9 Pushed in mga7/8 src: - python-2.7.18-1.3.mga7 - python-2.7.18-7.1.mga8
Assignee: python => qa-bugsCC: (none) => mageia
Version: Cauldron => 8
Python 2 RPMs (Python 3 in Comment 3): python-2.7.18-1.3.mga7 libpython2.7-2.7.18-1.3.mga7 libpython2.7-stdlib-2.7.18-1.3.mga7 libpython2.7-testsuite-2.7.18-1.3.mga7 libpython-devel-2.7.18-1.3.mga7 python-docs-2.7.18-1.3.mga7 tkinter-2.7.18-1.3.mga7 tkinter-apps-2.7.18-1.3.mga7 python-2.7.18-7.1.mga8 tkinter-apps-2.7.18-7.1.mga8 libpython2.7-testsuite-2.7.18-7.1.mga8 python-docs-2.7.18-7.1.mga8 libpython2.7-2.7.18-7.1.mga8 libpython2.7-stdlib-2.7.18-7.1.mga8 libpython-devel-2.7.18-7.1.mga8 tkinter-2.7.18-7.1.mga8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Advisory: ======================== Updated python and python3 packages fix security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter (CVE-2021-23336). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 https://blog.python.org/2021/02/python-392-and-388-are-now-available.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/
Using QARepo with the list of Comment 7, I seem to miss the python-2.7.18-1.3.mga7 and lib64python-devel-2.7.18-1.3.mga7 packages.
CC: (none) => herman.viaene
mga8, x64 CVE-2021-23336 https://bugs.python.org/issue42967 Simple test, before update: $ python >>> import urllib >>> import urllib.parse >>> urllib.parse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urllib.parse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] >>> exit() Could not figure out how to use urllib in python2: >>> import urllib.parse Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named parse
CC: (none) => tarazed25
It is called urlparse in python2.
$ python2 >>> import urlparse >>> urlparse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2'), ('c', '3')] So the issue had been fixed in python3 before the update but not in python2.
Updating: - lib64python-devel-2.7.18-7.1.mga8.x86_64 - lib64python2.7-2.7.18-7.1.mga8.x86_64 - lib64python2.7-stdlib-2.7.18-7.1.mga8.x86_64 - lib64python2.7-testsuite-2.7.18-7.1.mga8.x86_64 - lib64python3-devel-3.8.8-1.mga8.x86_64 - lib64python3.8-3.8.8-1.mga8.x86_64 - lib64python3.8-stdlib-3.8.8-1.mga8.x86_64 - lib64python3.8-testsuite-3.8.8-1.mga8.x86_64 - python-2.7.18-7.1.mga8.x86_64 - python3-3.8.8-1.mga8.x86_64 - python3-docs-3.8.8-1.mga8.noarch - tkinter-2.7.18-7.1.mga8.x86_64 - tkinter-apps-2.7.18-7.1.mga8.x86_64 - tkinter3-3.8.8-1.mga8.x86_64 - tkinter3-apps-3.8.8-1.mga8.x86_64 Ran tests again: $ python >>> urllib.parse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] $ python2 >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] The issue is fixed in both versions of python for Mageia 8. Going to pass this on the basis of successful bugfix and clean install.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
mga7, x64 In Mageia 7 python2.7 is the default so python is used and python3 needs to be used for python3.7. Installed the packages listed, ran the simple interactive session tests to demonstrate the fault. Updated all the packages then ran the tests again. These showed that the vulnerability had been eliminated. $ python Python 2.7.18 (default, Mar 4 2021, 21:08:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import urlparse >>> urlparse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] >>> exit() Since python is everywhere and the system functions as normal this should be enough to pass the update.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
(In reply to Herman Viaene from comment #9) > Using QARepo with the list of Comment 7, I seem to miss the > python-2.7.18-1.3.mga7 and lib64python-devel-2.7.18-1.3.mga7 packages. 64-bit Plasma mga7 and mga8 systems, on AMD hardware. Using a combination of the lists in Comment 3 and Comment 7, making sure to use only mga7 packages in mga7 and mga8 in mga8, I did not see the problem you saw, Herman. Using the test delineated in the last sentence of Comment 14, this hardware tests out OK on both releases, too.
CC: (none) => andrewsfarm
As long as Foolishness (Dell Inspiron 5100, P4, Radeon RV200 graphics, Atheros-based wifi, 32-bit Xfce4 systems) had a full head of steam going in order to test other updates, I thought I'd check this one out, too. Tested on both mga7 and mga8, using qarepo and the package lists of Comment 3 and Comment 7. No installation issues. Did a reboot each time, just because it seemed like the best thing to do. Using the test from Comment 15, it looks OK for 32-bit. I'm going to go ahead and validate this one. Advisory in Comment 8.
CC: (none) => sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK MGA7-32-OK MGA8-32-OKKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0165.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED