Fedora has issued an advisory today (May 29): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO, MGA7TOO
Assigning.
Assignee: bugsquad => pythonCC: (none) => ouaurelien
Failed build in Cauldron: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20210627201449.luigiwalser.duvel.4662/log/python-2.7.18-9.mga9/build.i586.0.20210627201502.log but that'll have to be fixed later.
Advisory: ======================== Updated python packages fix security vulnerability: In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP (CVE-2020-27619). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27619 https://bugzilla.redhat.com/show_bug.cgi?id=1889886 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.18-1.4.mga7 libpython2.7-2.7.18-1.4.mga7 libpython2.7-stdlib-2.7.18-1.4.mga7 libpython2.7-testsuite-2.7.18-1.4.mga7 libpython-devel-2.7.18-1.4.mga7 python-docs-2.7.18-1.4.mga7 tkinter-2.7.18-1.4.mga7 tkinter-apps-2.7.18-1.4.mga7 python-2.7.18-7.2.mga8 libpython2.7-stdlib-2.7.18-7.2.mga8 libpython-devel-2.7.18-7.2.mga8 tkinter-2.7.18-7.2.mga8 libpython2.7-2.7.18-7.2.mga8 libpython2.7-testsuite-2.7.18-7.2.mga8 tkinter-apps-2.7.18-7.2.mga8 python-docs-2.7.18-7.2.mga8 from SRPMS: python-2.7.18-1.4.mga7.src.rpm python-2.7.18-7.2.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: python => qa-bugsSeverity: normal => majorStatus comment: Patch available from Fedora => (none)Version: Cauldron => 8
MGA7-64 Plasma on Lenovo B50 No installation issues Used test as per bug 28408 Comment 14 $ python Python 2.7.18 (default, Jun 27 2021, 20:22:35) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import urlparse >>> urlparse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] >>> exit Use exit() or Ctrl-D (i.e. EOF) to exit >>> exit() So OK for this
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Affected file for this CVE is in lib64python2.7-testsuite package and just cleans up some dangerous code in one of the tests, which isn't terribly interesting. I tested a simple Python script I wrote (be careful, you have to call Python as Python2 in Mageia 8 now, due to some nonsense we carried over from Fedora) just to make sure it still generally worked, and did, as expected. OK for x86_64.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0327.html
Status: NEW => RESOLVEDResolution: (none) => FIXED