Bug 30956 - python-joblib new security issue CVE-2022-21797
Summary: python-joblib new security issue CVE-2022-21797
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-11 23:31 CEST by David Walser
Modified: 2022-10-19 01:16 CEST (History)
7 users (show)

See Also:
Source RPM: python-joblib-1.0.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-10-11 23:31:11 CEST
Fedora has issued an advisory on October 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/

The issue is fixed upstream in 1.2.0.
David Walser 2022-10-11 23:31:28 CEST

CC: (none) => mageia, mhrambo3501
Status comment: (none) => Fixed upstream in 1.2.0

Comment 1 papoteur 2022-10-12 11:48:59 CEST
The 1.2.0 release is built:
python3-joblib-1.2.0-1.mga8.noarch.rpm

Source:
python-joblib-1.2.0-1.mga8

Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 1.2.0 => (none)

Comment 2 papoteur 2022-10-12 11:52:17 CEST
This package is used by "orange" application.
Comment 3 Herman Viaene 2022-10-15 12:09:11 CEST
MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
Tried to follow papoteur's recommendation above and installed orange.
Launching it from CLI with trace:
$ strace -o pyjoblib.txt orange-canvas 
Traceback (most recent call last):
  File "/usr/bin/orange-canvas", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3243, in <module>
    def _initialize_master_working_set():
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3226, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3255, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 568, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 886, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 772, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'orange-widget-base>=4.5.0' distribution was not found and is required by Orange3

As the comments on python3-joblib state
"Joblib is a set of tools to provide lightweight pipelining in Python. In particular, joblib offers:
* transparent disk-caching of the output values and lazy re-evaluation (memorize pattern)
* easy simple parallel computing
* logging and tracing of the execution."

This is developer's territory, so I'll OK it on clean install

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-10-15 12:12:41 CEST
And the trace shows references to py - joblib, so the crash for other reasons does not matter.
Comment 5 Thomas Andrews 2022-10-15 16:01:09 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-18 23:24:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-10-19 01:16:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.