Bug 28461 - python-jinja2 new security issue CVE-2020-28493
Summary: python-jinja2 new security issue CVE-2020-28493
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-26 22:42 CET by David Walser
Modified: 2021-04-12 22:02 CEST (History)
5 users (show)

See Also:
Source RPM: python-jinja2-2.11.2-2.mga8.src.rpm
CVE: CVE-2020-28493
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-02-26 22:42:24 CET 
SUSE has issued an advisory on February 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008376.html

The issue is fixed upstream in 2.11.3.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 22:42:42 CET

Status comment: (none) => Fixed upstream in 2.11.3
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-02-27 09:47:05 CET 
Another one for you, David, as you did the last several version upgrades.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2021-02-27 11:06:27 CET 
Done for cauldron, mga8 and mga7!
Comment 3 David Walser 2021-02-27 17:46:22 CET 
Package list:
python2-jinja2-2.11.3-1.mga7
python3-jinja2-2.11.3-1.mga7
python3-jinja2-2.11.3-1.mga8

from SRPMS:
python-jinja2-2.11.3-1.mga7.src.rpm
python-jinja2-2.11.3-1.mga8.src.rpm

Status comment: Fixed upstream in 2.11.3 => (none)
CC: (none) => geiger.david68210
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs

Comment 4 David Walser 2021-02-27 18:41:33 CET 
Newer SUSE advisory from February 26:
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008398.html

Nothing from openSUSE yet, but probably will be soon.
Comment 5 David Walser 2021-03-03 01:57:25 CET 
Advisory:
========================

Updated python-jinja2 packages fix security vulnerability:

ReDOS vulnerability where urlize could have been called with untrusted user
data (CVE-2020-28493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008398.html
Comment 6 Herman Viaene 2021-03-22 14:54:08 CET 
MGA7-64 MATE on PeaqC1011
No installation issues.
This seems developer's stuff. Propose to OK on clean install.

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2021-03-22 15:06:53 CET 
Sorry, I didn't notice the procedure on bug 12265
$ python test.py 
Hello. If you see this with no errors then it worked :)

$ python3 test.py 
  File "test.py", line 4
    print output
               ^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(output)?
I changed the test.py to the suggestion and then
$ python3 test.py 
Hello. If you see this with no errors then it worked :)
and the first test on python works as well, so OK

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 8 Thomas Andrews 2021-04-07 03:01:30 CEST 
Tested in mga8 64-bit Plasma mga8 guest.

No installation issues. Tried the test from Comment 7, with the same error. Corrected the file, ran again, this time successfully.

OK for mga8. Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-04-12 15:51:52 CEST

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-28493
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-04-12 22:02:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0178.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.