Update python3 to 3.8.11 to fix several security issues [1]. Fixes in 3.8.10 are also included [2]. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time. [1] https://docs.python.org/release/3.8.11/whatsnew/changelog.html#changelog [2] https://docs.python.org/release/3.8.10/whatsnew/changelog.html#changelog
Per https://bugs.mageia.org/show_bug.cgi?id=29010 [python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)], python-pip update was already pushed today with patches for 3 CVE. Packages come from new python-pip-20.3.3-3.3.mga8.src.rpm Assigning to python group.
Assignee: bugsquad => pythonCC: (none) => ouaurelien
SRPM(S): python-pip-21.1.3-1.mga8 python-setuptools-56.2.0-1.mga8 python3-3.8.11-1.mga8 RPM(S): lib(64)python3.8-3.8.11-1.mga8 lib(64)python3.8-stdlib-3.8.11-1.mga8 lib(64)python3.8-testsuite-3.8.11-1.mga8 lib(64)python3-devel-3.8.11-1.mga8 python3-3.8.11-1.mga8 python3-docs-3.8.11-1.mga8 python3-pip-21.1.3-1.mga8 python3-pkg-resources-56.2.0-1.mga8 python3-setuptools-56.2.0-1.mga8 python-pip-wheel-21.1.3-1.mga8 python-setuptools-wheel-56.2.0-1.mga8 tkinter3-3.8.11-1.mga8 tkinter3-apps-3.8.11-1.mga8
Assignee: python => qa-bugs
CVE-2021-29921 patched in python3-3.8.11.1.1.mga8: https://ubuntu.com/security/notices/USN-4973-1 https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html This would be a good time to fix Bug 29041 (python-urllib3) too...
Severity: normal => majorComponent: RPM Packages => SecurityQA Contact: (none) => securityBlocks: (none) => 29084
mga8, x64 $ rpm -q python python-2.7.18-7.2.mga8 CVE-2021-29921 No specific PoC found in spite of extensive discussion on the web. If I run perl $ GET 142.250.187.206 it returns lots of HTML code from google.com. So does this python snippet: import urllib3 http = urllib3.PoolManager() resp = http.request( "GET", "google.com" ) print( resp.status ) print( resp.data ) Replacing google.com by the octal equivalent 0216.372.273.316 results in "urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='0216.372.273.316', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f38b0b5cbe0>: Failed to establish a new connection: [Errno -2] Name or service not known'))" Reverting to decimal in python results in the full index file being returned. That seems to demonstrate that octal notation was already forbidden which the web discussions indicate has been the case for some time - unless the refusal is applied at the Google server. The lack of a status code implies that the connection is rejected at Google. If a leading zero is used in the decimal string the call simply hangs. So, I do not know how to test this. Shall update and continue from there.
CC: (none) => tarazed25
$ rpm -q python3 python3-3.8.9-1.mga8 $ rpm -q python3-pip python3-pip-20.3.3-3.3.mga8 After two days effort I could not get qarepo to work with this update and reverted to urpmi. Everything installed properly. Ran the crude poc tests with the same results - command hangs. Impossible to draw any conclusions from this other than there is no error response to the leading zero. It is surprising that the leading zero causes trouble with a valid decimal address. If it is not parsed out then maybe it is the lower level software objecting to a triplet which has 4 characters - no idea what goes on under the hood. Some 90 applications and libraries depend on python. Tried units under strace but could find no sign of python in the trace. $ urpmq --requires-recursive units ... lib64python3.8 lib64python3.8-stdlib ... python-pip-wheel python-rpm-macros python-setuptools-wheel python-srpm-macros python3 python3-chardet python3-idna python3-pkg-resources python3-requests python3-rpm-macros python3-setuptools python3-six python3-urllib3 It must depend on usage. Better results from isodumper. Wrote an mga8 iso to USB storage and found a host of python references in the trace file. Leaving it there. python is ubiquitous so any regressions should show up in due course. Meanwhile it looks good.
Whiteboard: (none) => MGA8-64-OK
type: security subject: Updated python3 packages fix security vulnerabilities CVE: - CVE-2021-29921 src: 8: core: - python-pip-21.1.3-1.mga8 - python-setuptools-56.2.0-1.mga8 - python3-3.8.11-1.1.mga8 description: | Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are also included. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time. Also, we fix the following issue: In Python before 3.9.5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses (CVE-2021-29921). references: - https://bugs.mageia.org/show_bug.cgi?id=29288 - https://docs.python.org/release/3.8.11/whatsnew/changelog.html#changelog - https://docs.python.org/release/3.8.10/whatsnew/changelog.html#changelog - https://ubuntu.com/security/notices/USN-4973-1 - https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
CVE: (none) => CVE-2021-29921Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0386.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2021-3733 and CVE-2021-3737: https://ubuntu.com/security/notices/USN-5083-1
This update also fixed CVE-2022-0391: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VIX3AYNDHW6FHW27K63MW4NHDAPUJGKS/
CC: (none) => luigiwalser