| Summary: | netty new security issue CVE-2015-2156 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | D Morgan <dmorganec> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | ennael1, geiger.david68210, pterjan |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/646891/ | ||
| Whiteboard: | |||
| Source RPM: | netty-4.0.19-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | patch to disable testing subpackage of hibernate4 | ||
|
Description
David Walser
2015-05-17 18:30:02 CEST
David Walser
2015-05-17 18:30:26 CEST
CC:
(none) =>
geiger.david68210, pterjan I guess netty is another bitrotting Java package in Fedora. I can't check BuildRequires because these packages have too many Provides, but as far as Requires go, netty is only required by hornetq, which is only required by narayana, which is only required by the hibernate4-testing subpackage of hibernate4, which it's possible to disable (and it is not required by anything). So it *might* be possible to drop all of those. I also noticed that we have a duplicate package between txw2 and sun-txw2, they are the same thing, same version, same provides. txw2 is the correct name according to Fedora, so I've asked for a freeze push for txw2 obsoleting sun-txw2. I also noticed that servletapi4 appears to be something that should have been obsoleted by glassfish-servlet-api, but their provides are the same names but different versions (2.3 vs. 3.1.0) and servletapi4 is explicitly required by xt-demo1 (which isn't required by anything). They aren't buildrequire'd by anything, so they should be dropped. I obsoleted them in glassfish-servlet-api and asked for a freeze push. Created attachment 6574 [details]
patch to disable testing subpackage of hibernate4
hibnerate4 builds fine locally with this patch, disabling the testing subpackage.
=== rpms that will have to be deleted === hibernate-hql hibernate-search hibernate4 hornetq infinispan ironjacamar jastow narayana netty picketbox resteasy undertow xstream: losing ["xstream-hibernate"], remaining ["xstream", "xstream", "xstream-benchmark", "xstream-benchmark", "xstream-javadoc", "xstream-javadoc", "xstream-parent", "xstream-parent"] Some of the build dependencies leading to this list (which considers dropping the full hibernate4): ==== Looking up src.rpm depending on narayana: hornetq infinispan hibernate4 ==== Looking up src.rpm depending on netty: undertow hornetq resteasy ==== Looking up src.rpm depending on infinispan: hibernate-search infinispan picketbox hibernate4 resteasy Thanks, so it's not do-able right now. Luckily Fedora has a fix for this package now: http://pkgs.fedoraproject.org/cgit/netty.git/commit/?h=f21&id=e2a34bc035529bda807865346324a1932aff28cb We don't have anything that satifised the new BR: mvn(kr.motd.maven:os-maven-plugin) Sync with F21 is checked into Cauldron SVN, but it can't be built until that missing BR is resolved. OK, Pascal told me that os-maven-plugin needed to be imported to fix the BR. I imported os-maven-plugin, built it locally, built the netty update locally, everything built and installed fine. I checked it into SVN and requested a freeze push. os-maven-plugin-1.2.3-1.mga5 is uploaded. Just waiting for netty-4.0.28-1.mga5 now and then this can be closed. CC:
(none) =>
ennael1 Finally pushed. Thanks everyone :o) Status:
NEW =>
RESOLVED Fedora has issued an advisory for this on May 22: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html URL:
(none) =>
http://lwn.net/Vulnerabilities/646891/ |