Bug 33253 - python-jinja2 new security issues CVE-2024-22195 and CVE-2024-34064
Summary: python-jinja2 new security issues CVE-2024-22195 and CVE-2024-34064
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-29 15:54 CEST by Nicolas Salguero
Modified: 2024-05-31 17:16 CEST (History)
4 users (show)

See Also:
Source RPM: python-jinja2-3.1.3-1.mga10.src.rpm
CVE: CVE-2024-22195, CVE-2024-34064
Status comment: Fixed upstream in 3.1.4 and patches available from upstream and Ubuntu

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-29 15:54:45 CEST 
Ubuntu has issued an advisory on May 28:
https://ubuntu.com/security/notices/USN-6787-1

The problem is fixed in 3.1.4. 

Mageia 9 is also affected.
Nicolas Salguero 2024-05-29 15:55:20 CEST

Source RPM: (none) => python-jinja2-3.1.3-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in 3.1.4 and patch available from upstream and Ubuntu
CVE: (none) => CVE-2024-34064
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-05-29 16:23:47 CEST 
Ubuntu has issued an advisory on January 25:
https://ubuntu.com/security/notices/USN-6599-1

The problem is fixed in 3.1.3.

Mageia 9 is also affected.

Summary: python-jinja2 new security issue CVE-2024-34064 => python-jinja2 new security issues CVE-2024-22195 and CVE-2024-34064
CVE: CVE-2024-34064 => CVE-2024-22195, CVE-2024-34064
Status comment: Fixed upstream in 3.1.4 and patch available from upstream and Ubuntu => Fixed upstream in 3.1.4 and patches available from upstream and Ubuntu

Comment 2 David GEIGER 2024-05-30 20:20:33 CEST 
Fixed both mga9 and Cauldron updating to 3.1.4 release!

CC: (none) => geiger.david68210

Comment 3 David GEIGER 2024-05-30 20:22:06 CEST 
Assigning to QA,

Package in 9/Core/Updates_testing:
=====================
python3-jinja2-3.1.4-1.mga9.noarch.rpm

From SRPMS:
python-jinja2-3.1.4-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-05-30 20:29:40 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2024-05-31 03:46:53 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-jinja2-3.1.4-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-jinja2        ##################################################################################################
      1/1: removing python3-jinja2-3.1.2-1.mga9.noarch
                                 ##################################################################################################


Run the test referenced in bug#28461 comment#7 (after make the needed correction)
python3 Descargas/jinja-test.py 
Hello. If you see this with no errors then it worked :)

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2024-05-31 14:01:31 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dan Fandrich 2024-05-31 16:55:28 CEST

Version: Cauldron => 9
CC: (none) => dan

Comment 6 Mageia Robot 2024-05-31 17:16:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.