Bug 14128

Summary: apache-poi new security issues CVE-2014-3529 and CVE-2014-3574
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/612578/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Source RPM: apache-poi-3.9-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-09-19 17:16:31 CEST 
Fedora has issued an advisory on September 9:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-19 17:16:37 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:05:34 CET 
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:43:34 CET 
Probably on its way back to Cauldron, but it has been re-synced with Fedora 21 in Cauldron SVN, updating it to 3.10.1 and fixing this.

Update synced with Fedora 20 checked into Mageia 4 SVN.
Comment 3 David Walser 2014-12-24 23:43:32 CET 
Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated apache-poi packages fixes security vulnerability:

It was found that Apache POI would resolve entities in OOXML documents. A
remote attacker able to supply OOXML documents that are parsed by Apache POI
could use this flaw to read files accessible to the user running the
application server, and potentially perform other more advanced XXE attacks
(CVE-2014-3529).

It was found that Apache POI would expand an unlimited number of entities in
OOXML documents. A remote attacker able to supply OOXML documents that are
parsed by Apache POI could use this flaw to trigger a denial of service
attack via excessive CPU and memory consumption (CVE-2014-3574).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html
========================

Updated package in core/updates_testing:
========================
apache-poi-3.10.1-1.mga4
apache-poi-javadoc-3.10.1-1.mga4
apache-poi-manual-3.10.1-1.mga4

from apache-poi-3.10.1-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 Herman Viaene 2014-12-26 10:58:56 CET 
MGA4-64 on HP Probook 6555b KDE.
Found out that the apache-poi-3.10.1-1.mga4 was already installed (most probably from testing bug 13870 - resteasy), so the javadoc and manual were installed now. No issues.

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2014-12-26 11:03:55 CET 
MGA4-32 on Acer D620 Xfce.
Same remark as above, no installation issues.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-12-26 11:12:46 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2014-12-26 18:05:48 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0550.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED