| Summary: | cxf new security issue CVE-2013-2160 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/563134/ | ||
| Whiteboard: | advisory MGA3-64-OK MGA3-32-OK | ||
| Source RPM: | cxf-2.6.3-5.mga3.src.rpm, jacorb-2.3.1-3.20120215git.2.mga3.src.rpm, wss4j-1.6.7-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-08-12 20:00:25 CEST
David Walser
2013-08-12 20:00:35 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO done for mageia 3 are you sure mga2 is affected ? as we don't have xcf As you can see, Fedora issued updates for jacorb and wss4j because of this as well, presumably because they have an embedded copy of cxf. Mageia 2 contains the jacorb package. I see you did update jacorb for Mageia 3, so please update it for Mageia 2 also if it is also affected. Also, I see Cauldron still hasn't been updated for these fixes. Packages built so far: cxf-2.6.9-1.mga3 cxf-javadoc-2.6.9-1.mga3 cxf-api-2.6.9-1.mga3 cxf-maven-plugins-2.6.9-1.mga3 cxf-rt-2.6.9-1.mga3 cxf-services-2.6.9-1.mga3 cxf-tools-2.6.9-1.mga3 jacorb-2.3.1-4.mga3 jacorb-javadoc-2.3.1-4.mga3 wss4j-1.6.10-1.mga3 wss4j-javadoc-1.6.10-1.mga3 from SRPMS: cxf-2.6.9-1.mga3.src.rpm jacorb-2.3.1-4.mga3.src.rpm wss4j-1.6.10-1.mga3.src.rpm
David Walser
2013-11-21 23:05:17 CET
Blocks:
(none) =>
11726 Removing Mageia 2 from the whiteboard due to EOL. Whiteboard:
MGA3TOO, MGA2TOO =>
MGA3TOO jacorb in Cauldron still needs the same update that Mageia 3 has in SVN. cxf and wss4j in Cauldron have now been fixed in: cxf-2.7.5-2.mga4 wss4j-1.6.10-3.mga4 Fixed now in cauldron for jacorb Thanks D Morgan. jacorb fixed in jacorb-2.3.1-5.mga4. Version:
Cauldron =>
3 Note to QA, verifying that these install should be sufficient. Advisory: ======================== Updated cxf, wss4j, and jacorb packages fix security vulnerability: Multiple denial of service flaws were found in the way StAX parser implementation of Apache CXF, an open-source web services framework, performed processing of certain XML files. If a web service application utilized the services of the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed by the application would lead to excessive system resources (CPU cycles, memory) consumption by that application (CVE-2013-2160). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2160 http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301037 https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html ======================== Updated packages in core/updates_testing: ======================== cxf-2.6.9-1.mga3 cxf-javadoc-2.6.9-1.mga3 cxf-api-2.6.9-1.mga3 cxf-maven-plugins-2.6.9-1.mga3 cxf-rt-2.6.9-1.mga3 cxf-services-2.6.9-1.mga3 cxf-tools-2.6.9-1.mga3 jacorb-2.3.1-4.mga3 jacorb-javadoc-2.3.1-4.mga3 wss4j-1.6.10-1.mga3 wss4j-javadoc-1.6.10-1.mga3 from SRPMS: cxf-2.6.9-1.mga3.src.rpm jacorb-2.3.1-4.mga3.src.rpm wss4j-1.6.10-1.mga3.src.rpm CC:
(none) =>
dmorganec As per comment 8, just testing that the packages install cleanly. Testing complete on Mageia 3 i586 and x86_64, and advisory uploaded to svn. Someone from the sysadmin team please push 10986.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0001.html Status:
NEW =>
RESOLVED |