Advisories » MGASA-2019-0065

Updated python-marshmallow packages fix security vulnerability

Publication date: 13 Feb 2019
Modification date: 13 Feb 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-17175

Description

In the marshmallow library before 2.15.1 for Python, the schema "only"
option treats an empty list as implying no "only" option, which allows a
request that was intended to expose no fields to instead expose all fields
(if the schema is being filtered dynamically using the "only" option, and
there is a user role that produces an empty value for "only")
(CVE-2018-17175).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23703
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175

SRPMS

6/core

• python-marshmallow-2.2.1-0.5.gitea1def9.mga6