SUSE has issued an advisory on July 2: https://lwn.net/Articles/980387/ Mageia 9 is also affected.
It seems the following link also provides a patch: https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
Source RPM: (none) => python-js2py-0.74-1.mga10.src.rpmStatus comment: (none) => Patch available from openSUSECVE: (none) => CVE-2024-28397
Whiteboard: (none) => MGA9TOO
The patch link above is unclear, but I think this is the patch 'fix.py': https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/fix.py Assigning to Python people.
Assignee: bugsquad => python
According to the fix section of the readme, to patch the source code, the needed file is patch.txt.
Done for both mga9 and cauldron!
Whiteboard: MGA9TOO => (none)CC: (none) => geiger.david68210Version: Cauldron => 9
Assigning to QA, Package in 9/Core/Updates_testing: ===================== python3-js2py-0.70-3.1.mga9.noarch.rpm From SRPMS: python-js2py-0.70-3.1.mga9.src.rpm
Assignee: python => qa-bugs
Keywords: (none) => advisory
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing python3-js2py-0.70-3.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-js2py ################################################################################################## 1/1: removing python3-js2py-0.70-3.mga9.noarch Not sure how to test ##################################################################################################
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
According to the description in MCC, this is used to translate javascript to python. Sounds like developer territory to me. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0256.html
Status: NEW => RESOLVEDResolution: (none) => FIXED