Bug 30604 - python-nltk new security issue CVE-2021-3828
Summary: python-nltk new security issue CVE-2021-3828
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-04 21:02 CEST by David Walser
Modified: 2023-10-25 20:19 CEST (History)
5 users (show)

See Also:
Source RPM: python-nltk-3.4.5-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-07-04 21:02:44 CEST
openSUSE has issued an advisory on July 3:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6ZUSFUYB3S2F4VLUQBWFBYRLCIHMR43P/

The issue is fixed upstream in 3.6.6.
David Walser 2022-07-04 21:02:59 CEST

Status comment: (none) => Fixed upstream in 3.6.6

Comment 1 papoteur 2023-02-21 10:57:58 CET
Submitted
python3-nltk-3.6.6-1.mga8.noarch

Source
python-nltk-3.6.6-1.mga8.src.rpm

This package adds a command:
nltk

It is not claimed by any other package.

CC: (none) => yves.brungard_mageia

papoteur 2023-02-21 11:00:58 CET

Assignee: python => qa-bugs
Status comment: Fixed upstream in 3.6.6 => (none)

Comment 2 Herman Viaene 2023-02-21 13:26:23 CET
Sorry, the following package cannot be selected:

- python3-nltk-3.6.6-1.mga8.noarch (due to unsatisfied python3.8dist(regex)[>= 2021.8.3])

CC: (none) => herman.viaene

David Walser 2023-02-21 14:27:39 CET

Keywords: (none) => feedback

Comment 3 Thomas Andrews 2023-10-24 22:57:06 CEST
Just tried to update this in VirtualBox, and there has been no change. I get the same error message.

CC: (none) => andrewsfarm

Comment 4 papoteur 2023-10-25 09:42:18 CEST
Sorry, I missed this.
An update is building:
 python3-regex-2022.9.13-1.mga8
Source:
 python-regex-2022.9.13-1.mga8

Added to:
 python3-nltk-3.6.6-1.mga8.noarch
Source:
 python-nltk-3.6.6-1.mga8
Comment 5 Thomas Andrews 2023-10-25 14:32:46 CEST
Thank you. It updates now with no issues. Looking at /usr/bin, the command "nltk" has been added.

"The Natural Language Toolkit is a Python package that simplifies the construction of programs..." Developer stuff, beyond the scope of QA.

Giving this an OK, and validating. 

The advisory should be sure to include both python3-nltk and python3-regex-2022.

CC: (none) => sysadmin-bugs
Keywords: feedback => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 6 papoteur 2023-10-25 14:48:01 CEST
Advisory:
===========
Update python-nltk to 3.6.6
Resolve ReDoS opportunity by fixing incorrectly specified regex
================
Comment 7 Marja Van Waes 2023-10-25 15:40:00 CEST
(In reply to papoteur from comment #6)
> Advisory:
> ===========
> Update python-nltk to 3.6.6
> Resolve ReDoS opportunity by fixing incorrectly specified regex
> ================

So both 
        python-regex-2022.9.13-1.mga8 
and 
        python-nltk-3.6.6-1.mga8

Need to be in the advisory (and pushed to updates toghether), right?

CC: (none) => marja11

Comment 8 Marja Van Waes 2023-10-25 15:49:36 CEST
(In reply to Marja Van Waes from comment #7)
> (In reply to papoteur from comment #6)
> > Advisory:
> > ===========
> > Update python-nltk to 3.6.6
> > Resolve ReDoS opportunity by fixing incorrectly specified regex
> > ================
> 
> So both 
>         python-regex-2022.9.13-1.mga8 
> and 
>         python-nltk-3.6.6-1.mga8
> 
> Need to be in the advisory (and pushed to updates toghether), right?

I've uploaded the advisory with that addition. Please remove the "advisory" keyword if that was wrong.

Keywords: (none) => advisory

Comment 9 papoteur 2023-10-25 15:52:32 CEST
(In reply to Marja Van Waes from comment #7)
> (In reply to papoteur from comment #6)
> So both 
>         python-regex-2022.9.13-1.mga8 
> and 
>         python-nltk-3.6.6-1.mga8
> 
> Need to be in the advisory (and pushed to updates toghether), right?

Yes, indeed.
Comment 10 Mageia Robot 2023-10-25 20:19:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0302.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.