Description of problem: CVE-2021-34552 is set as "Out of support scope" according to https://access.redhat.com/security/cve/cve-2021-34552 This is a formal request to fix this issue for RHEL 7 latest. Version-Release number of selected component (if applicable): python-pillow How reproducible: n/a Steps to Reproduce: 1. 2. 3. Actual results: python-pillow out of support scope Expected results: CVE-2021-34552 resolved for rhel 7 latest Additional info: https://access.redhat.com/security/cve/cve-2021-34552 https://bugzilla.redhat.com/show_bug.cgi?id=1982378
We are going to move this bug to the Red Hat Satellite product and resolve this via a rebuild of python-daemon that drops the runtime dependency to python-docutils. This will allow customers to remove python-pillow from their effected hosts, which will eliminate this CVE from their Satellite and Capsule servers.
*** Satellite 6.9 Hotfix Available *** 1) Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from this bugzilla to your Satellite 2) stop services: satellite-maintain service stop 3) Install and remove # rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm # yum remove python-pillow ... Removing: python-pillow x86_64 2.0.0-21.gitd1c6db8.el7 @rhel-7-server-rpms Removing for dependencies: python-docutils noarch 0.11-0.3.20130715svn7687.el7 @rhel-7-server-rpms Transaction Summary =================================== Remove 1 Package (+1 Dependent package) 4) restart: satellite-maintain service start 5) resume operations
Created attachment 1819471 [details] python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm
NOTE: The fix for this is removing the line from the python-daemon specfile: Requires: python-docutis and rebuild + ship the update in Satellite
The update here ends up breaking ansible-runner unfortunately, as tracked here: https://bugzilla.redhat.com/show_bug.cgi?id=2010863#c2 we need an additional update to the package as outlined by Evgeni: """ <Zhenech> wait <Zhenech> I think I know what happened <Zhenech> mmccune: python2-daemon-2.1.2-7.1.el7sat.noarch is the patched daemon, right? <mmccune> Zhenech: did we rebuild python2-daemon? <Zhenech> so this RPM doesn't depend on docutils <Zhenech> BU <Zhenech> T <Zhenech> # grep docutils /usr/lib/python2.7/site-packages/python_daemon-2.1.2-py2.7.egg-info/requires.txt <Zhenech> docutils <Zhenech> that means that "import daemon" works <mmccune> ahh <mmccune> so we need a patch to the python code to remove that <Zhenech> but if you actually ask pkg_resources if it can load daemon it will tell you: no, not all deps are present <Zhenech> and ansible-runner uses that ^ """
And to do so, you *probably* (untested) need to patch out this line: https://pagure.io/python-daemon/blob/5f4d218fa974d2d2690d9a19e5058627ac35429f/f/setup.py#_66
VERIFIED. @Satellite 6.10.0 Snap23 python2-daemon-2.1.2-7.2.el7sat.noarch by following manual steps: # rpm -q python-pillow package python-pillow is not installed >>> affected package is not installed # rpm -qR python2-daemon python(abi) = 2.7 python-lockfile rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PartialHardlinkSets) <= 4.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 >>> since python2-daemon no longer requires python-docutils (depending on python-pillow) # python Python 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import daemon >>> while not breaking code using daemon module
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702