Bug 16003

Summary: jackrabbit new security issue CVE-2015-1833
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, herman.viaene, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/647619/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Source RPM: jackrabbit-2.4.2-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-21 17:55:14 CEST 
A security issue fixed upstream in jackrabbit has been announced:
http://openwall.com/lists/oss-security/2015/05/21/6
http://openwall.com/lists/oss-security/2015/05/21/7

There are patches available in the second message linked above, and the fixes will be incorporated into a 2.4.6 release.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-21 17:55:31 CEST

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-05-21 19:36:55 CEST 
So, fixes for jackrabbit for Cauldron and mga4 too with the proposed upstream patch done in SVN.

Freeze_push for Cauldron requested.
Comment 2 David GEIGER 2015-05-21 19:58:59 CEST 
Ok now jackrabbit is uploaded for mga4 and finally it will be soon dropped from Cauldron.
Comment 3 David Walser 2015-05-22 17:41:04 CEST 
OK, jackrabbit no longer hops in Cauldron.

Patched package uploaded for Mageia 4.  Thanks David!

Advisory:
========================

Updated jackrabbit packages fix security vulnerability:

In Apache Jackrabbit before 2.4.6, When processing a WebDAV request body
containing XML, the XML parser can be instructed to read content from network
resources accessible to the host, identified by URI schemes such as "http(s)"
or  "file". Depending on the WebDAV request, this can not only be used to
trigger internal network requests, but might also be used to insert said
content into the request, potentially exposing it to the attacker and others
(for instance, by inserting said content in a WebDAV property value using a
PROPPATCH request). See also IETF RFC 4918, Section 20.6 (CVE-2015-1833).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1833
http://openwall.com/lists/oss-security/2015/05/21/6
http://openwall.com/lists/oss-security/2015/05/21/7
========================

Updated packages in core/updates_testing:
========================
jackrabbit-webdav-2.4.2-6.1.mga4
jackrabbit-webdav-javadoc-2.4.2-6.1.mga4

from jackrabbit-2.4.2-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 Herman Viaene 2015-06-05 14:49:53 CEST 
MGA4-32 on AcerD620 Xfce
No installation issues

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 5 claire robinson 2015-06-05 15:51:31 CEST 
Tested mga4 64

Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2015-06-05 19:46:17 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-06-08 23:18:44 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0242.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-06-09 18:53:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/647619/