Bug 29897 - python-celery new security issue CVE-2021-23727
Summary: python-celery new security issue CVE-2021-23727
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-16 17:11 CET by David Walser
Modified: 2022-01-25 13:14 CET (History)
5 users (show)

See Also:
Source RPM: python-celery-5.1.2-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2022-01-16 17:11:59 CET

Status comment: (none) => Fixed upstream in 5.2.2
Whiteboard: (none) => MGA8TOO

Nicolas Lécureuil 2022-01-16 20:44:29 CET

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia

Comment 1 David Walser 2022-01-16 22:02:07 CET 
python-celery-5.2.3-1.mga9 uploaded for Cauldron.  python-kombu should be updated too.
Comment 2 Nicolas Lécureuil 2022-01-16 23:41:37 CET 
Fixed in mga8:
src:
    - python-celery-5.0.5-1.1.mga8

Status comment: Fixed upstream in 5.2.2 => (none)
Assignee: python => qa-bugs

Comment 3 David Walser 2022-01-16 23:44:09 CET 
RPM:
python3-celery-5.0.5-1.1.mga8
Comment 4 Herman Viaene 2022-01-18 14:47:40 CET 
Sorry, the following package cannot be selected:

- python3-celery-5.0.5-1.1.mga8.noarch (because of unfulfilled python3.8dist(billiard)[>= 3.6.3])

CC: (none) => herman.viaene

Comment 5 David Walser 2022-01-18 23:09:43 CET 
Doesn't look like the patch did that; must have already been broken.  Strange.

Assignee: qa-bugs => python

Comment 6 Nicolas Lécureuil 2022-01-20 12:49:39 CET 
just pushed a new python-billiard

src:
    - python-billiard-3.6.4.0-1.mga8

Assignee: python => qa-bugs

Comment 7 David Walser 2022-01-20 17:21:30 CET 
RPM:
python3-billiard-3.6.4.0-1.mga8
Comment 8 Herman Viaene 2022-01-24 16:09:17 CET 
MGA8-64 Plasma on Lenovo B50 IN Dutch
Installed both python3-billiard and python3-celery
Reading "An open source asynchronous task queue/job queue based on distributed message passing. It is focused on real-time operation, but supports scheduling as well.
The execution units, called tasks, are executed concurrently on one or more worker nodes using multiprocessing, Eventlet or gevent. Tasks can execute asynchronously (in the background) or synchronously (wait until ready)."
So this is developers stuff, OK on clean iinstall.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-01-24 21:00:30 CET 
Validating. Please make sure both python-celery and python-billiard are pushed.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Dave Hodgins 2022-01-24 22:52:55 CET 
What about python-kombu mentioned in comment 1?

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 11 David Walser 2022-01-25 00:38:46 CET 
Kombu only needed a corresponding update in Cauldron and Nicolas updated it.

Keywords: feedback => (none)

Dave Hodgins 2022-01-25 03:48:15 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-01-25 13:14:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0029.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.