Bug 14108

Summary:	[CVE 21] python3 CVEs
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Vladimir Potapov <v.potapov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	blocker
Priority:	Highest	CC:	a.proklov, e.malashin, s.matveev
Version:	All	Flags:	v.potapov: qa_verified+ v.potapov: secteam_verified? a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	cve-2020-10735,CVE-2023-24329,CVE-2022-45061,CVE-2023-40217,CVE-2022-42919,CVE-2021-28861,CVE-2023-27043,CVE-2022-37454,CVE-2023-36632,CVE-2018-25032
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Vladimir Potapov 2023-12-05 16:45:51 MSK

https://nvd.nist.gov/vuln/detail/cve-2020-10735 Base Score: 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2023-24329 Base Score: 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2022-45061 exploit!
https://nvd.nist.gov/vuln/detail/CVE-2023-40217 Base Score: 5.3 MEDIUM
https://nvd.nist.gov/vuln/detail/CVE-2022-42919 Base Score: 7.8 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2021-28861 Base Score: 7.4 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2023-27043 Base Score: 5.3 MEDIUM
https://nvd.nist.gov/vuln/detail/CVE-2022-37454 Base Score: 9.8 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2023-36632 Base Score: 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2018-25032 Base Score: 7.5 HIGH

Comment 1 Svyatoslav Matveev 2023-12-05 23:34:00 MSK

********** QA ADVISORY **********

CVE-2020-10735
CVE-2021-28861
CVE-2022-37454
CVE-2022-45061
CVE-2023-40217
CVE-2023-24329
закрыто наложением патчей

CVE-2018-25032  относится к zlib

CVE-2023-27043 не доделанный
https://github.com/python/cpython/pull/111116#issuecomment-1785323606

CVE-2023-36632 спорная проблема
https://github.com/python/cpython/issues/103800

CVE-2022-42919 не уязвим в этой версии удалять нечего.
https://github.com/python/cpython/commit/32b2d32481ca804f9fd065a3796b0e6ddc2cdcc3

*** python3
**  3.8.13 release +1

https://abf.io/build_lists/4857477
https://abf.io/build_lists/4857478
https://abf.io/build_lists/4857479
https://abf.io/build_lists/4857480
https://abf.io/build_lists/4857481

Comment 2 e.malashin@rosalinux.ru 2023-12-06 12:59:40 MSK

(In reply to Svyatoslav Matveev from comment #1)
> ********** QA ADVISORY **********
> 
> CVE-2020-10735
> CVE-2021-28861
> CVE-2022-37454
> CVE-2022-45061
> CVE-2023-40217
> CVE-2023-24329
> закрыто наложением патчей
> 
> CVE-2018-25032  относится к zlib
> 
> CVE-2023-27043 не доделанный
> https://github.com/python/cpython/pull/111116#issuecomment-1785323606
> 
> CVE-2023-36632 спорная проблема
> https://github.com/python/cpython/issues/103800
> 
> CVE-2022-42919 не уязвим в этой версии удалять нечего.
> https://github.com/python/cpython/commit/
> 32b2d32481ca804f9fd065a3796b0e6ddc2cdcc3
> 
> *** python3
> **  3.8.13 release +1
> 
> https://abf.io/build_lists/4857477
> https://abf.io/build_lists/4857478
> https://abf.io/build_lists/4857479
> https://abf.io/build_lists/4857480
> https://abf.io/build_lists/4857481


The update sent to testings

Comment 3 Vladimir Potapov 2023-12-14 11:06:43 MSK

python3-3.8.13-6
https://abf.io/build_lists/4857477
https://abf.io/build_lists/4857478
https://abf.io/build_lists/4857479
https://abf.io/build_lists/4857480
https://abf.io/build_lists/4857481
**************************** Advisory ************************
CVEs closed by patches
**************************************************************
QA Verified