Debian Bug report logs -
#921039
CVE-2018-14647
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 31 Jan 2019 23:36:02 UTC
Severity: grave
Tags: security, upstream
Found in version python2.7/2.7.13-2
Fixed in versions python2.7/2.7.15-5, python2.7/2.7.13-2+deb9u3, 2.7.15-9
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://bugs.python.org/issue34623
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#921039; Package python2.7.
(Thu, 31 Jan 2019 23:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Matthias Klose <doko@debian.org>.
(Thu, 31 Jan 2019 23:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python2.7
Version: 2.7.15-5
Severity: grave
Tags: security
CVE-2018-14647 as fixed in DSA-4306-1 needs to be fixed in testing as well:
https://bugs.python.org/issue34623
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
Cheers,
Moritz
Marked as found in versions python2.7/2.7.13-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 07:06:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 07:06:04 GMT) (full text, mbox, link).
Marked as fixed in versions python2.7/2.7.13-2+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 08:16:18 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Fri, 01 Feb 2019 08:51:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Feb 2019 08:51:07 GMT) (full text, mbox, link).
Message #18 received at 921039-close@bugs.debian.org (full text, mbox, reply):
Source: python2.7
Source-Version: 2.7.15-6
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Feb 2019 08:18:31 +0100
Source: python2.7
Architecture: source
Version: 2.7.15-6
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Closes: 921039 921040
Changes:
python2.7 (2.7.15-6) unstable; urgency=medium
.
* Update to 20190201 from the 2.7 branch.
- CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
- CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
Closes: #921039.
- CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
Closes: #921040.
* Bump standards version.
* Update symbols file.
Checksums-Sha1:
330274af10115129a5130f3914f45ffad439b94a 3344 python2.7_2.7.15-6.dsc
26c02e807e241461f71ed515814741d788cb0160 596337 python2.7_2.7.15-6.diff.gz
d38f6d0200a447c3890e4f27f319c15418f0c015 10050 python2.7_2.7.15-6_source.buildinfo
Checksums-Sha256:
0179e286a457fffde54a6731f306fd86f386b8db33aa88ff9c9760115f9125c4 3344 python2.7_2.7.15-6.dsc
b3c63e731e47ef48fa0087ed922679d55772fedc2bcb7ac414ca677a0feb2266 596337 python2.7_2.7.15-6.diff.gz
30b62b5ac02566c600ea4045fc446165a33191bafe9bf3384066be165bc43610 10050 python2.7_2.7.15-6_source.buildinfo
Files:
f5e28cb0db5d2c168e3758d1f9c67518 3344 python optional python2.7_2.7.15-6.dsc
54619766bcdafd0cb9d4d5f7b237d4c1 596337 python optional python2.7_2.7.15-6.diff.gz
7d1180beb276bb990e9653d51b9328ce 10050 python optional python2.7_2.7.15-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlxT/agQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9fTjD/9Ma/8erwYWu8yiJb9I2Tp6UCv9ycs8+8f4
CffK+DC2Iv9L9C6rS0/UQ7qsxIoUUahCqC5786LNUcP+D3sneyWKxsQ41qnHQDyD
YmRt969UpcG/l94Ten3enPXEoIc0ktNOyClmN0AjlkWqy6i1IpJhHaDLzAQamIfo
jrpBa+grGmUAeMBQfZVmmxrhpVfT/Fqr1AEgx49ifnGTJGefCa2IGWdmfrhoipcG
k82tFmnL/lhU4+SZEfAcmgtcEnF9dmX/aGQ0PH6GVQQObfEQ4SOWEF/qE1YGigy4
B5jgIetbBDXdIHiUVKoeJ/uqko0fNtg16Je6u7w54zjIlsrYStCWAWydR7Bw549K
AkQXRqkgHeSoh/fYWjLBTiGMUDBMRaUCnLe+y2Sq4RdX+6OHxxZFLdNZG6tEpEQd
4sv8KXavY9NAcIyUV4G4H1G1NIQ3S1n9FS5ItNRbGidVvR6E1usi/mD6f3hLwnyl
MTrmh9vVlKraqiFCKr2u4y7i9rRujk/HByMFzGoJaRTTDJ8ThewQynGxvn91maOj
GJyfCj2HAkYFd5d1Jk/3gQrLSd/vmcr/iJFvOO93H4W9pkUt7WgffuWHgSsiC+eK
Sc69SQ+owbDbf0Bcan5DNPJ3MspbP53nXJRllY452qIGd/LoNqSg4qsoSVeByVDn
lGZOy4btNg==
=MBp/
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#921039; Package python2.7.
(Fri, 01 Feb 2019 09:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Fri, 01 Feb 2019 09:42:02 GMT) (full text, mbox, link).
Message #23 received at 921039@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
Control: found -1 2.7.15-6
Hi
On Fri, Feb 01, 2019 at 08:51:07AM +0000, Debian Bug Tracking System wrote:
> - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
> Closes: #921039.
The change
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
though does not seem to be applied looking at the debdiff from
2.7.15-5 to 2.7.15-6.
Can you please recheck, and if I'm wrong please hilight me what am I
missing?
Regards,
Salvatore
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Fri, 01 Feb 2019 09:42:02 GMT) (full text, mbox, link).
No longer marked as fixed in versions python2.7/2.7.13-2+deb9u3 and python2.7/2.7.15-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Fri, 01 Feb 2019 09:42:03 GMT) (full text, mbox, link).
Marked as found in versions 2.7.15-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Fri, 01 Feb 2019 09:42:04 GMT) (full text, mbox, link).
Marked as fixed in versions python2.7/2.7.13-2+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 09:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#921039; Package python2.7.
(Sat, 16 Feb 2019 12:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list.
(Sat, 16 Feb 2019 12:54:03 GMT) (full text, mbox, link).
Message #36 received at 921039@bugs.debian.org (full text, mbox, reply):
Version: 2.7.15-9
closing again. afaics, this was already applied in -6.
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Sat, 16 Feb 2019 12:54:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Feb 2019 12:54:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#921039; Package python2.7.
(Sat, 16 Feb 2019 13:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Sat, 16 Feb 2019 13:15:03 GMT) (full text, mbox, link).
Message #46 received at 921039@bugs.debian.org (full text, mbox, reply):
Control: notfound -1 2.7.15-6
Control: notfound -1 2.7.15-5
Control: fixed -1 2.7.15-5
Hi,
On Fri, Feb 01, 2019 at 10:40:26AM +0100, Salvatore Bonaccorso wrote:
> Control: reopen -1
> Control: found -1 2.7.15-6
> Hi
>
> On Fri, Feb 01, 2019 at 08:51:07AM +0000, Debian Bug Tracking System wrote:
> > - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
> > Closes: #921039.
>
> The change
> https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
> though does not seem to be applied looking at the debdiff from
> 2.7.15-5 to 2.7.15-6.
>
> Can you please recheck, and if I'm wrong please hilight me what am I
> missing?
To answer my question: the fix is actually already included in the
git-updates.diff patch as uploaded in the -5 revision. Thus the diff
was not spotted in the debdiff between -5 and -6 causing the
confusion.
Regards,
Salvatore
No longer marked as found in versions 2.7.15-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Sat, 16 Feb 2019 13:15:03 GMT) (full text, mbox, link).
No longer marked as found in versions python2.7/2.7.15-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Sat, 16 Feb 2019 13:15:04 GMT) (full text, mbox, link).
Marked as fixed in versions python2.7/2.7.15-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921039-submit@bugs.debian.org.
(Sat, 16 Feb 2019 13:15:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Mar 2019 07:31:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:10:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon