Summary: | <dev-lang/python-{2.7.18_p7,3.6.12_p3,3.7.9_p3,3.8.7_p2,3.9.1_p2,3.10.0_alpha5_p1}: parameter cloaking vulnerability (CVE-2021-23336) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | herrtimson, hydrapolic, mgorny, prefix, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.python.org/issue42967 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=771627 | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-02-15 22:20:40 UTC
I'll backport it in ~1 hour. Oh my, this is a backwards-incompatible change. I wonder if it'll break something. I've filled the package list for future reference but let's not run the stablereq yet. The current behavior was present practically since forever, and the change is not backwards-compatible. Let's give it at least a few more days to see if it doesn't break stuff. Unable to check for sanity:
> invalid package spec: ==
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2a53a94f3b6b6395ef4541051a02d80c61442d0 commit f2a53a94f3b6b6395ef4541051a02d80c61442d0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:48:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:55 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 2.7 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-2.7.18_p7.ebuild | 358 ++++++++++++++++++++++++++++++++ 2 files changed, 359 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b22068f64c351ccf7d6140b362559a78593f29b commit 6b22068f64c351ccf7d6140b362559a78593f29b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:47:23 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:54 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.6 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.12_p3.ebuild | 341 ++++++++++++++++++++++++++++++++ 2 files changed, 342 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5 commit 266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:46:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:53 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.7 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.7.9_p3.ebuild | 333 +++++++++++++++++++++++++++++++++ 2 files changed, 334 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a326329d0121f8a618e73feb3fe1dfb31f9e1f commit b5a326329d0121f8a618e73feb3fe1dfb31f9e1f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:44:52 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:52 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.8 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.7_p2.ebuild | 337 +++++++++++++++++++++++++++++++++ 2 files changed, 338 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8 commit 1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:43:45 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:51 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.9 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.1_p2.ebuild | 346 +++++++++++++++++++++++++++++++++ 2 files changed, 347 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b67b5c6ab21333995d79ae8b7ffad18163639768 commit b67b5c6ab21333995d79ae8b7ffad18163639768 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:38:46 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:50 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.10 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.0_alpha5_p1.ebuild | 349 +++++++++++++++++++++++++ 2 files changed, 350 insertions(+) Thank you! ping. Ok, let's stabilize the new set. All sanity-check issues have been resolved ppc64 done amd64 stable x86 stable ppc done hppa stable sparc stable arm64 done arm done s390 done all arches done Please cleanup. It's already cleaned up, isn't it? (In reply to Michał Górny from comment #20) > It's already cleaned up, isn't it? Yep, sorry! New GLSA request filed. This issue was resolved and addressed in GLSA 202104-04 at https://security.gentoo.org/glsa/202104-04 by GLSA coordinator Thomas Deutschmann (whissi). |