29817 – python-lxml new security issue CVE-2021-43818

Bug 29817 - python-lxml new security issue CVE-2021-43818

Summary: python-lxml new security issue CVE-2021-43818

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-12-26 18:38 CET by David Walser
Modified:	2021-12-30 17:43 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	python-lxml-4.6.3-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-26 18:38:55 CET

Fedora has issued an advisory today (December 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44/

The issue is fixed upstream in 4.6.5.

Mageia 8 is also affected.

David Walser 2021-12-26 18:39:09 CET

Status comment: (none) => Fixed upstream in 4.6.5
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-12-26 23:12:00 CET

New version added in mga9

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Version: Cauldron => 8

Comment 2 Nicolas Lécureuil 2021-12-26 23:13:02 CET

New version added in mga8:

src:
    - python-lxml-4.6.5-1.mga8

Status comment: Fixed upstream in 4.6.5 => (none)
Assignee: python => qa-bugs

Comment 3 David Walser 2021-12-27 15:29:59 CET

python3-lxml-4.6.5-1.mga8
python-lxml-docs-4.6.5-1.mga8

from python-lxml-4.6.5-1.mga8.src.rpm

Comment 4 Herman Viaene 2021-12-28 11:27:35 CET

MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Ref bug 28983 for testing.
Used at CLI
$ strace -o lxmltxt calibre
Imported one of my own html files in calibre an converted  to e-book for table format. I could read the resulting epub with the calibre E-book viewer and with okular.
Trace shows multiple refs to /usr/lib64/python3.8/site-packages/lxml/ files.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-12-29 16:16:29 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-30 03:54:22 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-12-30 17:43:10 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0595.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.