Already fixed in our mga8 3.8.12.

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

This is for python, not python3.

Whiteboard: (none) => MGA8TOO

oh well seen :-) sorry

fixed in cauldron and mga8:

src:
    - python-2.7.18-7.3.mga8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: python => qa-bugs
Status comment: Patches available from Fedora => (none)

Build failed in Cauldron.

RPMS list for Mageia 8:
python-2.7.18-7.3.mga8
tkinter-apps-2.7.18-7.3.mga8
libpython2.7-2.7.18-7.3.mga8
tkinter-2.7.18-7.3.mga8
libpython-devel-2.7.18-7.3.mga8
libpython2.7-stdlib-2.7.18-7.3.mga8
libpython2.7-testsuite-2.7.18-7.3.mga8
python-docs-2.7.18-7.3.mga8

from python-2.7.18-7.3.mga8.src.rpm

MGA8-64 Plasma on Lenovo B50
No installation issues. There was no python before on this laptop.
ref bug28408 Comment 14 for testing, but something seems to be missing:
$ python
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urlparse
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'urlparse'

CC: (none) => herman.viaene

That's python3 that you just ran.  Try python2.

I  stand corrected
$ python2
Python 2.7.18 (default, Sep 29 2021, 15:24:05) 
[GCC 10.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urlparse
>>> urlparse.parse_qsl("a=1&b=2&c=3")
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urlparse.parse_qsl("a=1&b=2;c=3")
[('a', '1'), ('b', '2;c=3')]
>>> exit()

Seems OK now.

Whiteboard: (none) => MGA8-64-OK

As a matter of interest I tried the PoC for CVE-2021-3737.
https://bugs.python.org/issue44022

Copied the client.py and evil_server.py scripts.  Had to edit them in a couple of places tp obtain the urllib module.

Before updating:
Ran the evil_server in a terminal and the client in another and the client locked up without any output.

After updating:
Set evil_server running then the client.
$ python2 client.py
Traceback (most recent call last):
  File "client.py", line 4, in <module>
    response = urllib2.urlopen( req, timeout=1 )
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 1228, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1201, in do_open
    r = h.getresponse(buffering=True)
  File "/usr/lib64/python2.7/httplib.py", line 1191, in getresponse
    response.begin()
  File "/usr/lib64/python2.7/httplib.py", line 475, in begin
    skipped_headers = _read_headers(self.fp)
  File "/usr/lib64/python2.7/httplib.py", line 381, in _read_headers
    raise HTTPException("got more than %d headers" % _MAXHEADERS)
httplib.HTTPException: got more than 100 headers

evil_server.py reported:
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib64/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "evil_server.py", line 12, in dealWithClient
    newSocket.send( b"""x:a\n""" )
error: [Errno 104] Connection reset by peer

The result was instantaneous.  Looks like the attack was frustrated.

CC: (none) => tarazed25

And so once again, Good triumphs over Evil, and all is Right with the World.

By all means, this must be validated.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0457.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED