Bug 1848508
Summary: | CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | python-rsa | Assignee: | Jason Montleon <jmontleo> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 32 | CC: | bperkins, jmontleo, me, petr.hruska, yohangraterol92 |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python-rsa-3.4.2-15.fc31 python-rsa-3.4.2-15.fc32 python-rsa-3.4.2-15.el8 python-rsa-3.4.2-1.el7 python-rsa-3.4.2-1.el6 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-13 01:38:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1848507 |
Description
Dhananjay Arunesh
2020-06-18 13:22:35 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1848507,1848508 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new FEDORA-2020-253ebe55ff has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-253ebe55ff FEDORA-EPEL-2020-2f1d845c76 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2f1d845c76 FEDORA-EPEL-2020-8c3e76982e has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8c3e76982e FEDORA-2020-5ed5627d2b has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ed5627d2b FEDORA-EPEL-2020-0f25da8099 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f25da8099 FEDORA-EPEL-2020-2f1d845c76 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2f1d845c76 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-253ebe55ff has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-253ebe55ff` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-253ebe55ff See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2020-0f25da8099 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-0f25da8099 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2020-8c3e76982e has been pushed to the Fedora EPEL 6 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8c3e76982e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-5ed5627d2b has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5ed5627d2b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ed5627d2b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-253ebe55ff has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-5ed5627d2b has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2020-2f1d845c76 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2020-0f25da8099 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2020-8c3e76982e has been pushed to the Fedora EPEL 6 stable repository. If problem still persists, please make note of it in this bug report. It was found that patch is not applied, and because of that version is still vulnerable. It looks that rpmlint is able to detect this problem as well.If executed at f32 branch commit 08f123cc2d038b298456895dd673f0af01bc824f (HEAD, upstream/f32, upstream/f31) Author: Fabio Alessandro Locati <me> Date: Sun Jul 5 10:36:54 2020 +0200 backport patch to fix CVE-2020-13757 rpmlint python-rsa.spec python-rsa.spec: W: patch-not-applied Patch0: python-rsa-3.4.2-cve-2020-13757.patch 0 packages and 1 specfiles checked; 0 errors, 1 warnings. For cve-2020-13757 it's missing %patch0 -p1 under %setup -q -n %{pypi_name}-%{version}. I've pushed an update to address this in F32, EPEL7, and EPEL8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-e628760c88 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-f87c9b8bab https://bodhi.fedoraproject.org/updates/FEDORA-2020-34094699cc These are all in stable. I believe the issue is resolved. |