Bug 33532 - python-webob new security issue CVE-2024-42353
Summary: python-webob new security issue CVE-2024-42353
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lists.suse.com/pipermail/sle-...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 10:02 CEST by Nicolas Salguero
Modified: 2024-09-17 04:42 CEST (History)
6 users (show)

See Also:
Source RPM: python3-webob
CVE: CVE-2024-42353
Status comment: Fixed upstream in 1.8.8 and patch available from upstream and openSUSE


Attachments

Nicolas Salguero 2024-09-06 10:03:09 CEST

Status comment: (none) => Fixed upstream in 1.8.8 and patch available from upstream and openSUSE
CVE: (none) => CVE-2024-42353
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-webob-1.8.7-5.mga10.src.rpm

Comment 1 Marja Van Waes 2024-09-06 21:29:45 CEST
Assigning to the Python Stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
URL: (none) => https://lists.suse.com/pipermail/sle-security-updates/2024-August/019276.html
CC: (none) => makowski.mageia, marja11

Comment 2 David GEIGER 2024-09-11 17:33:01 CEST
Fixed both mga9 and Cauldron!

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
python3-webob-1.8.8-1.mga9.noarch.rpm

From SRPMS:
python3-webob-1.8.8-1.mga9.src.rpm

CC: (none) => geiger.david68210
Assignee: python => qa-bugs

katnatek 2024-09-11 18:35:37 CEST

Whiteboard: MGA9TOO => (none)
Source RPM: python-webob-1.8.7-5.mga10.src.rpm => python-webob
Version: Cauldron => 9

katnatek 2024-09-11 18:35:57 CEST

Source RPM: python-webob => python3-webob

katnatek 2024-09-11 19:08:59 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-09-12 04:47:38 CEST
RH x86_64

LC_ALL=C urpmi --auto --auto-update
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing python3-webob-1.8.8-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-webob         ##################################################################################################
      1/1: removing python3-webob-1.8.7-4.mga9.noarch
                                 ##################################################################################################

Not sure how to test the issue neither how to test the packages requiring this

urpmq --whatrequires python3-webob|uniq
mnemosyne
openlp
python3-osprofiler
python3-pecan
python3-pyramid
python3-routes
python3-webob
python3-webtest
python3-wsme

Requiring you view on this Thomas

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-09-16 02:54:08 CEST
The recursive list isn't much more help:

ceph-mgr
mnemosyne
openlp
pyff
python3-osprofiler
python3-pecan
python3-pyramid
python3-routes
python3-webob
python3-webtest
python3-wsme

After looking at descriptions in drakrpm, and a couple of places on the web, this looks to be a bit beyond QA. OKing and validating based on the clean install.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Dan Fandrich 2024-09-16 19:12:26 CEST
The .adv file is missing the packages.

CC: (none) => dan

Comment 6 katnatek 2024-09-16 19:21:53 CEST
(In reply to Dan Fandrich from comment #5)
> The .adv file is missing the packages.

Fixed
Comment 7 Mageia Robot 2024-09-17 04:42:09 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0308.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.