Bug 13342

Summary: struts new security issue CVE-2014-0114
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/597671/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: struts-1.3.10-4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-07 22:56:59 CEST 
RedHat has issued an advisory today (May 7):
https://rhn.redhat.com/errata/RHSA-2014-0474.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-07 22:57:07 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-05-13 15:20:15 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated struts packages fix security vulnerability:

It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions (CVE-2014-0114).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
https://rhn.redhat.com/errata/RHSA-2014-0474.html
========================

Updated packages in core/updates_testing:
========================
struts-1.3.10-3.1.mga3
struts-javadoc-1.3.10-3.1.mga3
struts-1.3.10-4.1.mga4
struts-javadoc-1.3.10-4.1.mga4

from SRPMS:
struts-1.3.10-3.1.mga3.src.rpm
struts-1.3.10-4.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-05-13 18:29:15 CEST 
Testing complete mga4 64

No idea how to test this one. As with many other java packages, just ensuring packages update cleanly.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 claire robinson 2014-05-13 18:33:54 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure advisory mga4-64-ok

Comment 4 claire robinson 2014-05-14 10:58:29 CEST 
Tested all the rest too.

Validating. Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-05-15 00:21:12 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0219.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED