Bug 14039

Summary:	cas-client new security issue CVE-2014-4172
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	D Morgan <dmorganec>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	mageia
Version:	Cauldron
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/610402/
Whiteboard:
Source RPM:	cas-client-3.2.1-5.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2014-09-02 20:42:58 CEST

Fedora has issued an advisory on August 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html

This package is only in Cauldron.

To sync this commit:
http://pkgs.fedoraproject.org/cgit/cas-client.git/commit/?id=28f88f7127e3b8f0ca23dc20ce321619b23f3229

We'll need to import log4j12:
http://pkgs.fedoraproject.org/cgit/log4j12.git
http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/source/SRPMS/l/log4j12-1.2.17-6.fc22.src.rpm

and then update to 3.3.3 to fix the CVE:
http://pkgs.fedoraproject.org/cgit/cas-client.git/commit/?id=162ff6d95ccf23b84bf5ea0ba981aab79d1b7ecc

Reproducible: 

Steps to Reproduce:

Comment 1 Sander Lepik 2014-11-29 15:52:37 CET

Dropped from cauldron.

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => OLD

Comment 2 David Walser 2014-11-29 16:07:48 CET

Reopening for now.  This is dropped in Cauldron.  Keeping this bug around just in case someone brings it back, but if someone brings anything back, they really should resync it with F21 first.

Status: RESOLVED => REOPENED
Resolution: OLD => (none)

Comment 3 David Walser 2015-03-11 19:29:55 CET

Closing again.  This won't be reintroduced for Mageia 5.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED