Summary: | <dev-lang/python-{2.7.16,3.5.7,3.6.9,3.7.3}: NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | psp <gentoo-bugzilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-lang/python-2.7.16
dev-lang/python-3.5.7
dev-lang/python-3.6.9
|
Runtime testing required: | --- |
Bug Depends on: | 689822, 701116 | ||
Bug Blocks: |
Description
psp
2019-01-29 07:51:30 UTC
Ok, so it seems that the following versions contain a fix: 2.7: 2.7.16 3.4: 3.4.10 3.5: 3.5.7 3.6: next (no rc yet) 3.7: 3.7.3rc1 (no final yet) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ece98412e59349f1f485d5bd83919eb7d3f3e58 commit 8ece98412e59349f1f485d5bd83919eb7d3f3e58 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 12:44:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 12:44:07 +0000 dev-lang/python: Sec-bump to 3.5.7 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++ 2 files changed, 369 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649 commit 4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 13:22:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 13:38:36 +0000 dev-lang/python: Sec-bump to 3.4.10 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.4.10.ebuild | 363 +++++++++++++++++++++++++++++++++++ 2 files changed, 364 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6708701fec5c9f09ddf47fafefefc344e87bc98b commit 6708701fec5c9f09ddf47fafefefc344e87bc98b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-21 12:44:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-21 13:38:36 +0000 dev-lang/python: Sec-bump to 3.5.7 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++ 2 files changed, 369 insertions(+) Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Well, I don't see a reason not to stabilize the new versions but it'd probably make sense to wait for all branches to be released. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-29 12:27:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-29 12:59:12 +0000 dev-lang/python: Bump to 3.7.3 Bug: https://bugs.gentoo.org/676700 Bug: https://bugs.gentoo.org/680298 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++ 2 files changed, 327 insertions(+) Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9 commit 1cd1842cd013485101789106c7b25c8999cff9e9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-07-14 12:46:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-07-14 12:48:20 +0000 dev-lang/python: Bump to 3.6.9 Bug: https://bugs.gentoo.org/689822 Bug: https://bugs.gentoo.org/680246 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) We should probably wait for 2.7.17 and 3.5.8 to address all other Python bugs in one stabilization. All affected versions should be gone now. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi). |