Bug 15051

Summary: owasp-esapi-java new security issue CVE-2013-5960
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: D Morgan <dmorganec>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, mageia, pterjan
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629679/
Whiteboard:
Source RPM: owasp-esapi-java-2.0.1-10.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 15254    
Bug Blocks:    

Description David Walser 2015-01-15 18:32:59 CET
Fedora has issued advisories on January 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148092.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html

They fixed it by updating to 2.1.0.

Note that it should BR log4j on Mageia 4 and log4j12 on Cauldron.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-15 18:33:19 CET

CC: (none) => pterjan
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-10 12:17:05 CET
owasp-esapi-java-2.1.0-1.mga5 uploaded for Cauldron.

CC: (none) => geiger.david68210
Version: Cauldron => 4
Blocks: 14674 => (none)
Whiteboard: MGA4TOO => (none)

Comment 2 David Walser 2015-02-10 14:51:04 CET
The 2.1.0 update actually only addresses CVE-2013-5679.  The CVE-2013-5960 issue is currently only fixed in SVN and will be fixed in the 2.1.1 release (not available yet).

I see at least these commits relevant to it:
https://code.google.com/p/owasp-esapi-java/source/detail?r=1908
https://code.google.com/p/owasp-esapi-java/source/detail?r=1909
https://code.google.com/p/owasp-esapi-java/source/detail?r=1949
David Walser 2015-02-10 14:52:01 CET

Blocks: (none) => 15254

Comment 3 David Walser 2015-02-10 14:53:19 CET
I've cloned to Bug 15254 to handle the Mageia 4 update for CVE-2013-5679.

This bug will now be for CVE-2013-5960, which will have to be addressed later.

Version: 4 => Cauldron
Blocks: 15254 => (none)
Depends on: (none) => 15254
Summary: owasp-esapi-java new security issues CVE-2013-5679 and CVE-2013-5960 => owasp-esapi-java new security issue CVE-2013-5960
Whiteboard: (none) => MGA4TOO

Comment 4 David Walser 2015-05-04 23:45:40 CEST
Dropped from Cauldron as it's not needed by anything there.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 5 Nicolas Lécureuil 2015-05-11 00:48:54 CEST
changes were in 4 svn but not in the repo ( i don't know why ).

I pushed i and it build.

CC: (none) => mageia

Comment 6 David Walser 2015-05-11 00:56:13 CEST
2.1.0 in SVN was already pushed as an update fixing CVE-2013-5679 as I said in Comment 3.  CVE-2013-5960 was not fixed by that, it's only fixed in upstream's version control repository.
Comment 7 Nicolas Lécureuil 2015-05-11 00:57:21 CEST
sorry :) looking now for CVE-2013-5960
Comment 8 David Walser 2015-09-02 17:36:47 CEST
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD