| Summary: | unnecessary packages with security issues re-imported | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Pascal Terjan <pterjan> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | mageia |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | activemq, xmltooling, opensaml-java, wss4j | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-03-06 20:15:49 CET
David Walser
2016-03-06 20:16:03 CET
CC:
(none) =>
mageia In addition, these packages were re-imported with mostly even older versions than when we dropped them, also contributing to the number of security issues they likely have. Now springframework-security has been re-imported too! It was also dropped due to multiple unfixed security issues. Activemq is OK on cauldron: Patch0: activemq-5.6.0-jaas-CVE-2015-6524.patch CVE-2015-6524 is only the newest of several issues that I documented in Bug 14377. 5.6.0 is a very old version that is vulnerable to a multitude of security issues, which Fedora has largely ignored. So it seems this was a mistake caused by a strange problem. We have the wise package: Name : wise Version : 2.4.1 Release : 3.mga5 Group : Sciences/Biology Size : 9978093 Architecture: x86_64 Source RPM : wise-2.4.1-3.mga5.src.rpm Build Host: ecosse.mageia.org Packager : dmorgan <dmorgan> URL : http://www.ebi.ac.uk/~birney/wise2 Summary : Comparisons of DNA and protein sequences Description : Wise2 is a package focused on comparisons of biopolymers, commonly DNA and protein sequence. Wise2's particular forte is the comparison of DNA sequence at the level of its protein translation. This comparison allows the simulta- neous prediction of say gene structure with homology based alignment. The Wise2 package was principally written by Ewan Birney, who wrote the main genewise and estwise programs. The protein comparison database search program was written by Richard Copley using the underlying Wise2 libraries. Wise2 also uses code from Sean Eddy for reading HMMs and for Extreme value distribution fitting. When trying to build it, it was requiring mvn(org.jboss.ws.cxf:jbossws-cxf-client), which is why I started important all the indirect dependencies of this one. Looking more into it, that's because the wise we have in svn is different: %description Wise is a Java framework for easily invoking webservices, which can be used as base for zero-code webservice invocation applications. Wise can be the proper solution when total and effective client/server decoupling through WS is required. While basic JAX-WS tool for wsdl-to-java generation (like wsconsume) are great for most Java developer usecases, the generated stub classes kind of introduce a new (or renewed :)) level of coupling very similar to Corba IDL; by generating statical webservice stubs you actually couple client and server. So what is the alternative? Writing dynamic client using dynamic Provider/Dispatch JAX-WS API? That's possibly an option, yet not the easiest to understand, implement and maintain in most enterprise environments. Wise provides a different solution using dynamic mapping on JAX-WS tools generated code. Wise allows calling a ws service by mapping a generic Object model to JAXWS generated code. This opens up multiple Wise usage scenarios, like zero-code WS invocation (used in JBoss ESB) or GUI driven WS invocation. As all those packages are required by the wise we don't need and not the one which is required by other things, I'll drop them again. Done, I'll now fix wise to have in svn the wise that we have in packages. Closing Status:
NEW =>
RESOLVED |