Fedora has issued an advisory today (February 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Fedora
pushed by papoteur in mga8: src.rpm: - python-rencode-1.0.6-2.1.mga8
Status comment: Patch available from Fedora => (none)Assignee: python => qa-bugsCC: (none) => mageia
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
I don't know how to test it. This package is used by deluge, a bittorrent client.
CC: (none) => yves.brungard_mageia
RPM: python3-rencode-1.0.6-2.1.mga8
MGA8-64 Plasma on Lenovo B50 in Dutch. No installation issues. Took hint from papoteur, put a trace on deluge and used this one to access a torrent download file from LibreOffice.org. $ strace -o ptyhrencodetxt deluge That worked OK and in thetrace file I found multiple references to the python3-rencode files. OK for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to svn as ... type: security subject: Updated python-rencode packages fix security vulnerability CVE: - CVE-2021-40839 src: 8: core: - python-rencode-1.0.6-2.1.mga8 description: | The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. (CVE-2021-40839) references: - https://bugs.mageia.org/show_bug.cgi?id=30051 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0167.html
Status: NEW => RESOLVEDResolution: (none) => FIXED