Bug 30627 - python-ldap new security issue CVE-2021-46823
Summary: python-ldap new security issue CVE-2021-46823
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-07-12 15:16 CEST by David Walser
Modified: 2022-08-29 07:09 CEST (History)
5 users (show)

See Also:
Source RPM: python-ldap-3.3.1-4.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-07-12 15:16:24 CEST
Ubuntu has issued an advisory on July 11:
https://ubuntu.com/security/notices/USN-5508-1

The issue is fixed upstream in 3.4:
https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm

Mageia 8 is also affected.
David Walser 2022-07-12 15:16:33 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.4.0

Comment 1 Lewis Smith 2022-07-13 21:15:34 CEST
One of those SRPMs with no particular packager associated, so have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2022-07-16 19:53:29 CEST
Updated package pushed for cauldron and Mageia 8.


Advisory:
========================

Updated python-ldap package fixes security vulnerability:

It was discovered that Python LDAP incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause a denial of service (CVE-2021-46823).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46823
https://nvd.nist.gov/vuln/detail/CVE-2021-46823
https://ubuntu.com/security/notices/USN-5508-1
========================

Updated packages in core/updates_testing:
========================
python3-ldap-3.3.1-1.1.mga8

from python-ldap-3.3.1-1.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 3.4.0 => (none)
CC: (none) => mhrambo3501
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-07-18 09:46:39 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
No wiki, no previous update, so looking for info
# urpmq --whatrequires python3-ldap
nagios-check_syncrepl
python3-django-auth-ldap
python3-ldap

Ventured into installing nagios, making sure the check_syncrepl pugin and the nagios-www was installed.
Then
# systemctl  start httpd
# systemctl  start nagios
# systemctl -l status nagios
● nagios.service - Nagios network monitor
     Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-07-18 09:36:24 CEST; 7min ago
    Process: 4447 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
   Main PID: 4448 (nagios)
      Tasks: 6 (limit: 4364)
     Memory: 2.0M
        CPU: 582ms
     CGroup: /system.slice/nagios.service
             ├─4448 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
             ├─4449 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
             ├─4450 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
             ├─4451 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
             ├─4452 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
             └─4455 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: qh: echo service query handler registered
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: qh: help for the query handler registered
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: wproc: Successfully registered manager as @wproc with query handler
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: wproc: Registry request: name=Core Worker 4450;pid=4450
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: wproc: Registry request: name=Core Worker 4452;pid=4452
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: wproc: Registry request: name=Core Worker 4449;pid=4449
Jul 18 09:36:24 mach7.hviaene.thuis nagios[4448]: wproc: Registry request: name=Core Worker 4451;pid=4451
Jul 18 09:36:25 mach7.hviaene.thuis nagios[4448]: Successfully launched command file worker with pid 4455
Jul 18 09:36:32 mach7.hviaene.thuis nagios[4448]: SERVICE ALERT: localhost;SSH;CRITICAL;SOFT;3;connect to address 127.0.0.1 and port >
Jul 18 09:37:32 mach7.hviaene.thuis nagios[4448]: SERVICE ALERT: localhost;SSH;CRITICAL;HARD;4;connect to address 127.0.0.1 and port >
lines 1-26/26 (END)

Then point firefox to http://localhost/nagios/ and its home page opens correctly AFAICS, but then I'm lost....
Anyway, it doesn't seem to harm anything else on the system.....

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-08-26 11:02:51 CEST
For lack of any feedback or criticism, giving the OK as fat as as I understand it.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-08-26 14:05:35 CEST
Out of my experience too, Herman, but it looks reasonable. Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-08-28 23:45:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-08-29 07:09:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0310.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.