| Summary: | xml-security new security issue CVE-2013-4517 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, olchal, pterjan, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/619479/ | ||
| Whiteboard: | has_procedure advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | xml-security-1.5.5-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-11-07 20:59:07 CET
David Walser
2014-11-07 20:59:14 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO
David Walser
2014-12-22 20:43:32 CET
Blocks:
(none) =>
14674 Removing Mageia 3 from the whiteboard due to EOL. I've checked the update into Mageia 4 and Cauldron SVN. It needs to be submitted (and hopefully it can be built). For Mageia 4, this update will also need the log4j12 that D Morgan imported into Mageia 4 updates_testing. Whiteboard:
MGA4TOO, MGA3TOO =>
MGA4TOO Removed from Cauldron for now as it's not needed by anything that's currently there. Blocks:
14674 =>
(none) Saving the advisory for later when this update actually gets built (the log4j12 package is built). Advisory: ======================== Updated xml-security packages fixes security vulnerability: Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures (CVE-2013-4517). The log4j12 has also been added to Mageia 4, as it was needed to build this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142709.html ======================== Updated package in core/updates_testing: ======================== log4j12-1.2.17-1.mga4 log4j12-javadoc-1.2.17-1.mga4 xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 from SRPMS: log4j12-1.2.17-1.mga4.src.rpm xml-security-1.5.7-1.mga4.src.rpm The attempted build for Mageia 4 is looping on the build system.
D Morgan
2014-12-25 19:26:48 CET
Assignee:
dmorganec =>
luigiwalser I'm gonna need help with this one. I think it has an issue installing the BRs. Assignee:
luigiwalser =>
dmorganec I think I figured it out. In Mageia 4 it doesn't need to use log4j12 because log4j is at version 1.2.17, so it should just use that. Could someone please kill the xml-security build in mga4 updates_testing that's looping so that I can resubmit it? Also, remove log4j12 from Mageia 4 updates_testing. Thanks. CC:
(none) =>
sysadmin-bugs Indeed, removed log4j12 and removed it from upload queue. Thanks. Now it fails to build: http://pkgsubmit.mageia.org/uploads/failure/4/core/updates_testing/20141226001118.luigiwalser.valstar.24571/log/xml-security-1.5.7-1.mga4/build.0.20141226001249.log It looks like it needs bouncycastle 1.50. I don't know what to do now. It looks like I had synced changes into Mageia 4 from Fedora 21 instead of Fedora 20. I've fixed that and now it builds. Updated package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated xml-security packages fixes security vulnerability: Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures (CVE-2013-4517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142709.html ======================== Updated package in core/updates_testing: ======================== xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 from xml-security-1.5.7-1.mga4.src.rpm CC:
sysadmin-bugs =>
(none) On Mageia4x64 real hardware Updated current packages from : xml-security-1.5.5-1.mga4 xml-security-javadoc-1.5.5-1.mga4 xml-security-demo-1.5.5-1.mga4 To testing packages : xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 No installation issue. Whiteboard:
(none) =>
MGA4-64-OK MGA4-32 on Acer D620 Xfce. Installed xml-security-1.5.7-1.mga4 over existing xml-security-1.5.5-1.mga4. Other packages were not present. No installation problems. Whiteboard:
MGA4-64-OK =>
MGA4-32-OK MGA4-64-OK Validating. Advisory uploaded. Please push to updates Thanks Whiteboard:
MGA4-32-OK MGA4-64-OK =>
has_procedure advisory MGA4-32-OK MGA4-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0558.html Resolution:
(none) =>
FIXED For accounting purposes, this was reintroduced in Cauldron. It is version 1.5.7, so it's OK. |