| Summary: | openjpa new security issue CVE-2013-1768 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | dmorganec, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/560007/ | ||
| Whiteboard: | MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok | ||
| Source RPM: | openjpa-2.2.1-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-07-22 19:44:28 CEST
David Walser
2013-07-22 19:44:35 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO Fixed in Cauldron in openjpa-2.2.1-3.mga4. Patched package uploaded for Mageia 3, openjpa-2.2.0-3.1.mga3, which provides: openjpa-2.2.0-3.1.mga3 openjpa-tools-2.2.0-3.1.mga3 openjpa-javadoc-2.2.0-3.1.mga3 I found an upstream patch for 2.0.0 for Mageia 2 linked from here: http://seclists.org/fulldisclosure/2013/Jun/98 I added it in SVN, but it fails to build with this patch: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130822211956.luigiwalser.valstar.387/log/openjpa-2.0.0-1.1.mga2/build.0.20130822212005.log Version:
Cauldron =>
3 I don't know if it's important, but the patches to 2.2.0 and 2.2.1 have a change to openjpa-slice/src/main/java/org/apache/openjpa/slice/jdbc/DistributedJDBCConfigurationImpl.java that isn't in the patch for 2.0.0 (the rest of the patches are the same):
@@ -260,7 +260,7 @@
public QueryTargetPolicy getQueryTargetPolicyInstance() {
if (queryTargetPolicyPlugin.get() == null) {
- queryTargetPolicyPlugin.instantiate(ReplicationPolicy.class,
+ queryTargetPolicyPlugin.instantiate(QueryTargetPolicy.class,
this, true);
}
return (QueryTargetPolicy) queryTargetPolicyPlugin.get();
I don't think that's the cause of the build error though, that looks like maybe a missing BuildRequires.
built OK, ready for QA
D Morgan
2013-09-30 12:58:41 CEST
Assignee:
dmorganec =>
security Thanks D Morgan! Advisory: ======================== Updated openjpa packages fix security vulnerability: The BrokerFactory functionality in Apache OpenJPA before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs (CVE-2013-1768). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html ======================== Updated packages in core/updates_testing: ======================== openjpa-2.0.0-1.1.mga2 openjpa-javadoc-2.0.0-1.1.mga2 openjpa-2.2.0-3.1.mga3 openjpa-tools-2.2.0-3.1.mga3 openjpa-javadoc-2.2.0-3.1.mga3 from SRPMS: openjpa-2.0.0-1.1.mga2.src.rpm openjpa-2.2.0-3.1.mga3.src.rpm CC:
(none) =>
dmorganec No PoC and requires java programming knowledge to test. Ensuring it updates without issues should be enough in this case. Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure Testing complete mga3 32 & 64 Whiteboard:
MGA2TOO has_procedure =>
MGA2TOO has_procedure mga3-32-ok mga3-64-ok Testing complete mga2 32 & 64 Whiteboard:
MGA2TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok Validating. Advisory 10817.adv uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0292.html Status:
NEW =>
RESOLVED |