| Summary: | xstream new security issue CVE-2013-7285 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | dmorganec, ennael1, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/588035/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | xstream-1.4.5-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-02-24 23:01:47 CET
David Walser
2014-02-24 23:01:53 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO I added the patch for Mageia 3 in SVN. For Cauldron and Mageia 4, I synced the package with Fedora. It adds a new BuildRequires (kxml2-min) that requires the kxml package to be updated, which I also synced with Fedora in SVN to fix this. However, kxml does not build in Cauldron: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140224223117.luigiwalser.valstar.11244/log/kxml-2.3.0-6.mga5/build.0.20140224223203.log D Morgan noticed a typo in my kxml commit, so things are building now. Version:
Cauldron =>
4 Updated packages uploaded for Mageia 4 and Cauldron. Patched package uploaded for Mageia 3. Note to QA: verifying that the updated packages install correctly should be sufficient for testing this update. They're also noarch, so should only require testing on one arch. Advisory: ======================== Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application (CVE-2013-7285). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://xstream.codehaus.org/security.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html ======================== Updated packages in core/updates_testing: ======================== xstream-1.3.1-6.1.mga3 xstream-javadoc-1.3.1-6.1.mga3 kxml-2.3.0-5.1.mga4 kxml-javadoc-2.3.0-5.1.mga4 xstream-1.4.7-1.mga4 xstream-javadoc-1.4.7-1.mga4 from SRPMS: xstream-1.3.1-6.1.mga3.src.rpm kxml-2.3.0-5.1.mga4.src.rpm xstream-1.4.7-1.mga4.src.rpm CC:
(none) =>
dmorganec Testing complete mga3 32 & 64 Just ensuring the packages update cleanly. Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Testing complete on mageia 4 32 and 64 CC:
(none) =>
ennael1 Update validated. Thanks. Advisory: Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application (CVE-2013-7285). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://xstream.codehaus.org/security.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html SRPM: xstream-1.3.1-6.1.mga3.src.rpm kxml-2.3.0-5.1.mga4.src.rpm xstream-1.4.7-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates for both mageia 3 and 4? Thank you! Keywords:
(none) =>
validated_update
claire robinson
2014-02-25 09:34:41 CET
Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok =>
MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Advisory uploaded. Update pushed: http://advisories.mageia.org/MGASA-2014-0100.html Status:
NEW =>
RESOLVED |