Bug 16461

Summary: hornetq new security issue CVE-2015-3208
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, marja11, pterjan
Version: 7   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: hornetq-2.4.7-4.mga7.src.rpm CVE:
Status comment:

Description David Walser 2015-07-24 17:12:35 CEST 
A security issue fixed upstream in HornetQ has been announced:
http://openwall.com/lists/oss-security/2015/07/24/2

The message above contains a link to the upstream commit to fix the issue.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-24 17:12:55 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO
CC: (none) => geiger.david68210, pterjan

Comment 1 David Walser 2015-07-27 21:34:51 CEST 
Looking at the upstream commit, I can't find the affected Java class file to patch it.  Do we not have the affected code?  Is it in another SRPM or tarball?
Comment 2 Rémi Verschelde 2015-09-03 16:38:23 CEST 
Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3208

As usual they're mega verbose about the way they resolved the issue... But this time they closed it as WONTFIX without explication, and it blocks a private bug report. Not sure what to make of that.
Comment 3 David Walser 2015-09-03 16:41:16 CEST 
You have to be careful looking at RedHat's CVE bugs, as their resolution only applies to RHEL.  A lot of times they close them as WONTFIX or INVALID for RHEL, but it blocks the "fedora-all" tracker bug for the same CVE for Fedora, where they still have to fix it.
Comment 4 Rémi Verschelde 2015-09-03 17:00:08 CEST 
Ah right, so I guess in this case they chose to give up on RHEL, but they kept the fedora-all tracker bug hidden. It's also striked through though, so I guess they also resolved it in one way or another.
Comment 5 Marja Van Waes 2016-04-05 11:20:34 CEST 
Assuming this bug is still valid, at least for Mga5, because we still have hornetq-2.4.1-2.mga5 there.

Assigning to maintainer

Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO
Source RPM: hornetq-2.4.1-2.mga5.src.rpm => hornetq-2.4.1-2.mga5
Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 6 David GEIGER 2016-04-05 11:55:28 CEST 
I think we can close this bug as a WONTFIX like fedora/redhat.
Comment 7 Nicolas Lécureuil 2016-11-18 11:41:03 CET 
closing

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 8 David Walser 2018-10-17 23:23:24 CEST 
RedHat fixed this in Satellite 6.4:
https://access.redhat.com/errata/RHSA-2018:2927

Source RPM: hornetq-2.4.1-2.mga5 => hornetq-2.4.7-4.mga7.src.rpm
Status: RESOLVED => REOPENED
Whiteboard: MGA5TOO => MGA6TOO
Resolution: WONTFIX => (none)

David Walser 2019-06-23 19:29:00 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:03:42 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 9 Nicolas Lécureuil 2020-12-26 23:27:02 CET 
not in cauldron anymore

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 10 David Walser 2021-07-01 18:13:24 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: REOPENED => RESOLVED