Bug 15557

Summary: opensaml-java missing updates for several security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: D Morgan <dmorganec>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 4   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/653879/
Whiteboard:
Source RPM: opensaml-java-2.5.3-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-23 15:16:51 CET 
Shibboleth upstream has issued several advisories for the Shibboleth Identity Provider that indicate that the actual security vulnerabilities were in the bundled opensaml-java, which we have packaged separately (to my knowledge we don't have the Shibboleth IdP packaged):
https://shibboleth.net/community/advisories/secadv_20131213.txt
https://shibboleth.net/community/advisories/secadv_20140813.txt
https://shibboleth.net/community/advisories/secadv_20140919.txt
https://shibboleth.net/community/advisories/secadv_20150225.txt

Fixing all of these would require updating opensaml-java to 2.6.5.  Fedora hasn't addressed a single one of these issues and is still using 2.5.3, so this appears to be another Java package in Fedora that's not being properly maintained.  Fortunately, we have dropped it in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-08-07 21:38:28 CEST 
Fedora has issued an advisory for the secadv_20140813 issue (CVE-2014-3603) on June 20:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163154.html

URL: (none) => http://lwn.net/Vulnerabilities/653879/

Comment 2 David Walser 2015-09-02 17:37:29 CEST 
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD