Ubuntu has issued an advisory on May 19: https://ubuntu.com/security/notices/USN-4962-1 Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Patch available from Ubuntu
No registered maintainer, assigning to the Python team.
Assignee: bugsquad => python
The issue is also fixed upstream in 2.9.1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6N66MDKHESXGMHWX4YKNW7DWXMQVL3F/
Done for Cauldron, mga8 and mga7!
CC: (none) => geiger.david68210
RPMS: python2-babel-2.6.0-2.1.mga7 python3-babel-2.6.0-2.1.mga7 python3-babel-2.9.1-1.mga8 from SRPMS: python-babel-2.6.0-2.1.mga7.src.rpm python-babel-2.9.1-1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8Status comment: Patch available from Ubuntu => (none)Assignee: python => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. OK'ing on clean install as for other developer's stuff.
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
(In reply to Herman Viaene from comment #5) > MGA7-64 Plasma on Lenovo B50 > No installation issues. > OK'ing on clean install as for other developer's stuff. MGA8 64 Plasma. On clean isntall, this is OK.
Source RPM: python-babel-2.9.0-2.mga9.src.rpm => python-babel-2.9.0-1.mga8.src.rpmCC: (none) => ouaurelienCVE: (none) => CVE-2021-20095Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Advisory: ======================== Updated python-babel packages fix a security vulnerability: Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code (CVE-2021-20095). References: - https://bugs.mageia.org/show_bug.cgi?id=29011 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095 - https://ubuntu.com/security/notices/USN-4962-1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6N66MDKHESXGMHWX4YKNW7DWXMQVL3F/ ======================== Updated packages in 7/core/updates_testing: ======================== python2-babel-2.6.0-2.1.mga7 python3-babel-2.6.0-2.1.mga7 from SRPMS: python-babel-2.6.0-2.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== python3-babel-2.9.1-1.mga8 from SRPM: python-babel-2.9.1-1.mga8.src.rpm ========================
Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0267.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This CVE was rejected in favor of CVE-2021-42771: https://www.debian.org/lts/security/2021/dla-2790
Summary: python-babel new security issues CVE-2021-20095 => python-babel new security issue CVE-2021-20095 / CVE-2021-42771
Curiosity check :- $ rpm -q python3-babel python3-babel-2.9.1-1.mga8 Followed the PoC trail for CVE-2021-42771. Copied the python script at https://www.tenable.com/security/research/tra-2021-14 and ran it. $ python3 babel_id_exploit.py Created /tmp/evil.dat Traceback (most recent call last): File "babel_id_exploit.py", line 18, in <module> locale = babel.Locale(language) File "/usr/lib/python3.8/site-packages/babel/core.py", line 168, in __init__ raise UnknownLocaleError(identifier) babel.core.UnknownLocaleError: unknown locale '../../../../../../../../../../tmp/evil' Looks like a win for the update.
CC: (none) => tarazed25