openSUSE has issued an advisory on January 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/R4M566AB324K3L6V4C2RMDKBBBJ7LYVV/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from openSUSE
Ubuntu has issued an advisory for this on January 24: https://ubuntu.com/security/notices/USN-5821-1
Severity: normal => major
(In reply to David Walser from comment #1) > Ubuntu has issued an advisory for this on January 24: > https://ubuntu.com/security/notices/USN-5821-1 Regression fix: https://ubuntu.com/security/notices/USN-5821-3
patch added for both mga8 and cauldron! Packages in 9/Core/Updates_testing: ====================== python-wheel-wheel-0.37.1-2.mga9.noarch.rpm python3-wheel-0.37.1-2.mga9.noarch.rpm Packages in 8/Core/Updates_testing: ====================== python-wheel-wheel-0.35.1-2.1.mga8.noarch.rpm python3-wheel-0.35.1-2.1.mga8.noarch.rpm From SRPMS: python-wheel-0.37.1-2.mga9.src.rpm python-wheel-0.35.1-2.1.mga8.src.rpm
Assignee: python => qa-bugsStatus comment: Patch available from openSUSE => (none)CC: (none) => geiger.david68210
Mageia8, x86_64 Introduction at https://realpython.com/python-wheels/#what-is-a-python-wheel Before updating: lcl@canopus:python $ pushd "$(mktemp -d)" /tmp/tmp.lHY6KSHdJF ~/qa/python lcl@canopus:tmp.lHY6KSHdJF $ sudo urpmi python-pip lcl@canopus:tmp.lHY6KSHdJF $ python -m pip download --only-binary :all: --dest . --no-cache six Collecting six Downloading six-1.16.0-py2.py3-none-any.whl (11 kB) Saved ./six-1.16.0-py2.py3-none-any.whl Successfully downloaded six lcl@canopus:tmp.lHY6KSHdJF $ ls six-1.16.0-py2.py3-none-any.whl So far so good. Updated the two packages. lcl@canopus:tmp.lHY6KSHdJF $ unzip six-1.16.0-py2.py3-none-any.whl Archive: six-1.16.0-py2.py3-none-any.whl inflating: six.py inflating: six-1.16.0.dist-info/LICENSE inflating: six-1.16.0.dist-info/METADATA inflating: six-1.16.0.dist-info/WHEEL inflating: six-1.16.0.dist-info/top_level.txt inflating: six-1.16.0.dist-info/RECORD Tried installing six: $ python -m pip install --only-binary :all: --no-cache six Defaulting to user installation because normal site-packages is not writeable Requirement already satisfied: six in /usr/lib/python3.8/site-packages (1.15.0) Installed yarl from scratch: $ python -m pip install --only-binary :all: yarl Defaulting to user installation because normal site-packages is not writeable Collecting yarl Downloading yarl-1.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (266 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 266.9/266.9 KB 4.8 MB/s eta 0:00:00 Collecting multidict>=4.0 Downloading multidict-6.0.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (121 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.3/121.3 KB 11.8 MB/s eta 0:00:00 Requirement already satisfied: idna>=2.0 in /usr/lib/python3.8/site-packages (from yarl) (2.10) Installing collected packages: multidict, yarl Successfully installed multidict-6.0.4 yarl-1.9.2 multidict dependency installed OK. Since this is a user install the packages can be found in ~/.local/lib/python3.8/site-packages/ $ cd .local/lib/python3.8/site-packages/ lcl@canopus:site-packages $ ls easygui/ multidict/ yarl/ easygui-0.98.2.dist-info/ multidict-6.0.4.dist-info/ yarl-1.9.2.dist-info/ Looks like this is working OK. Note that the specification includes support for different platforms and architectures and for various compilers where binaries need to be built. I did not follow that up, nor was I able to chase the regression related to python-pip (CVE-2022-40898). The CVE contains this notice: "the python-pip package bundles wheel binaries when built. After updating wheel, a no-change rebuild of python-pip is required."
CC: (none) => tarazed25Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
package moved to Core/Release for cauldron!
Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OKVersion: Cauldron => 8
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0218.html
Status: NEW => RESOLVEDResolution: (none) => FIXED