Bug 29011 - python-babel new security issues CVE-2021-20095
Summary: python-babel new security issues CVE-2021-20095
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 01:15 CEST by David Walser
Modified: 2021-06-15 22:47 CEST (History)
4 users (show)

See Also:
Source RPM: python-babel-2.9.0-1.mga8.src.rpm
CVE: CVE-2021-20095
Status comment:


Attachments

Description David Walser 2021-05-29 01:15:40 CEST
Ubuntu has issued an advisory on May 19:
https://ubuntu.com/security/notices/USN-4962-1

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 01:15:57 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Lewis Smith 2021-05-29 20:42:10 CEST
No registered maintainer, assigning to the Python team.

Assignee: bugsquad => python

Comment 3 David GEIGER 2021-06-07 13:07:16 CEST
Done for Cauldron, mga8 and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-06-09 01:58:13 CEST
RPMS:
python2-babel-2.6.0-2.1.mga7
python3-babel-2.6.0-2.1.mga7
python3-babel-2.9.1-1.mga8

from SRPMS:
python-babel-2.6.0-2.1.mga7.src.rpm
python-babel-2.9.1-1.mga8.src.rpm

Assignee: python => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Patch available from Ubuntu => (none)
Version: Cauldron => 8

Comment 5 Herman Viaene 2021-06-15 21:41:49 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
OK'ing on clean install as for other developer's stuff.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 6 Aurelien Oudelet 2021-06-15 22:40:30 CEST
(In reply to Herman Viaene from comment #5)
> MGA7-64 Plasma on Lenovo B50
> No installation issues.
> OK'ing on clean install as for other developer's stuff.

MGA8 64 Plasma.

On clean isntall, this is OK.

Source RPM: python-babel-2.9.0-2.mga9.src.rpm => python-babel-2.9.0-1.mga8.src.rpm
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-20095
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Aurelien Oudelet 2021-06-15 22:47:11 CEST
Advisory:
========================

Updated python-babel packages fix a security vulnerability:

Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code (CVE-2021-20095).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29011
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095
 - https://ubuntu.com/security/notices/USN-4962-1
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6N66MDKHESXGMHWX4YKNW7DWXMQVL3F/
========================

Updated packages in 7/core/updates_testing:
========================
python2-babel-2.6.0-2.1.mga7
python3-babel-2.6.0-2.1.mga7

from SRPMS:
python-babel-2.6.0-2.1.mga7.src.rpm
========================

Updated packages in 8/core/updates_testing:
========================
python3-babel-2.9.1-1.mga8

from SRPM:
python-babel-2.9.1-1.mga8.src.rpm
========================
Comment 8 Aurelien Oudelet 2021-06-15 22:47:34 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update


Note You need to log in before you can comment on or make changes to this bug.