Bug 28461 - python-jinja2 new security issue CVE-2020-28493
Summary: python-jinja2 new security issue CVE-2020-28493
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-02-26 22:42 CET by David Walser
Modified: 2021-04-12 22:02 CEST (History)
5 users (show)

See Also:
Source RPM: python-jinja2-2.11.2-2.mga8.src.rpm
CVE: CVE-2020-28493
Status comment:


Description David Walser 2021-02-26 22:42:24 CET
SUSE has issued an advisory on February 25:

The issue is fixed upstream in 2.11.3.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 22:42:42 CET

Status comment: (none) => Fixed upstream in 2.11.3
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-02-27 09:47:05 CET
Another one for you, David, as you did the last several version upgrades.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2021-02-27 11:06:27 CET
Done for cauldron, mga8 and mga7!
Comment 3 David Walser 2021-02-27 17:46:22 CET
Package list:

from SRPMS:

Status comment: Fixed upstream in 2.11.3 => (none)
CC: (none) => geiger.david68210
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs

Comment 4 David Walser 2021-02-27 18:41:33 CET
Newer SUSE advisory from February 26:

Nothing from openSUSE yet, but probably will be soon.
Comment 5 David Walser 2021-03-03 01:57:25 CET

Updated python-jinja2 packages fix security vulnerability:

ReDOS vulnerability where urlize could have been called with untrusted user
data (CVE-2020-28493).

Comment 6 Herman Viaene 2021-03-22 14:54:08 CET
MGA7-64 MATE on PeaqC1011
No installation issues.
This seems developer's stuff. Propose to OK on clean install.

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2021-03-22 15:06:53 CET
Sorry, I didn't notice the procedure on bug 12265
$ python test.py 
Hello. If you see this with no errors then it worked :)

$ python3 test.py 
  File "test.py", line 4
    print output
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(output)?
I changed the test.py to the suggestion and then
$ python3 test.py 
Hello. If you see this with no errors then it worked :)
and the first test on python works as well, so OK

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 8 Thomas Andrews 2021-04-07 03:01:30 CEST
Tested in mga8 64-bit Plasma mga8 guest.

No installation issues. Tried the test from Comment 7, with the same error. Corrected the file, ran again, this time successfully.

OK for mga8. Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-04-12 15:51:52 CEST

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-28493
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-04-12 22:02:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.