| Summary: | apache-commons-collections new security issue CVE-2015-8103 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | geiger.david68210, mageia, marja11, sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/682387/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | apache-commons-collections-3.2.1-24.1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-04-04 23:27:47 CEST
David Walser
2016-04-04 23:28:02 CEST
CC:
(none) =>
geiger.david68210, mageia Assigning to maintainer CC:
(none) =>
marja11 I don't know why but version 3.2.2 does not built on mga5 (tried to compile locally and same issue). Seems to be a problem with build of javadoc, maybe due the the super-strict doclint checks since java 8. [INFO] <<< maven-javadoc-plugin:2.9.1:aggregate (default-cli) < generate-sources @ commons-collections <<< [INFO] [INFO] --- maven-javadoc-plugin:2.9.1:aggregate (default-cli) @ commons-collections --- [INFO] 37 errors 100 warnings [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 23.787 s [INFO] Finished at: 2016-04-08T05:08:00+00:00 [INFO] Final Memory: 31M/348M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.9.1:aggregate (default-cli) on project commons-collections: An error has occurred in JavaDocs report generation: [ERROR] Exit code: 1 - /home/iurt/rpmbuild/BUILD/commons-collections-3.2.2-src/src/java/org/apache/commons/collections/BeanMap.java:191: warning: empty <ul> tag [ERROR] * <ul> [ERROR] ^ [ERROR] /home/iurt/rpmbuild/BUILD/commons-collections-3.2.2-src/src/java/org/apache/commons/collections/BeanMap.java:191: error: element not closed: ul [ERROR] * <ul> @pterjan: an idea about this issue? Well! done now for mga5! Thanks to pterjan to pointed me out a good workaround! :) Advisory: ======================== Updated apache-commons-collections packages fix security vulnerability: Due to an issue with serialization, Java applications can be vulnerable to malicious remote code execution when the apache-commons-collections library is on the classpath (CVE-2015-8103). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181046.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-collections-3.2.2-1.mga5 apache-commons-collections-testframework-3.2.2-1.mga5 apache-commons-collections-javadoc-3.2.2-1.mga5 apache-commons-collections-testframework-javadoc-3.2.2-1.mga5 from apache-commons-collections-3.2.2-1.mga5.src.rpm Assignee:
neoclust =>
qa-bugs Note: apache-commons-collections-testframework-javadoc is no more provides, so here an new updated list: Updated packages in 5/core/updates_testing: ======================== apache-commons-collections-3.2.2-1.mga5 apache-commons-collections-testframework-3.2.2-1.mga5 apache-commons-collections-javadoc-3.2.2-1.mga5 from apache-commons-collections-3.2.2-1.mga5.src.rpm Got a simple test for this one? CC:
(none) =>
wilcal.int (In reply to William Kenney from comment #6) > Got a simple test for this one? Make sure it installs and upgrades cleanly from the previous version, that's all. In VirtualBox, M5, KDE, 32-bit Package(s) under test: apache-commons-collections default install of apache-commons-collections [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.1-24.1.mga5.noarch is already installed Installs cleanly Install apache-commons-collections from updates_testing [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.2-1.mga5.noarch is already installed Updates cleanly Whiteboard:
(none) =>
MGA5-32-OK In VirtualBox, M5, KDE, 64-bit Package(s) under test: apache-commons-collections default install of apache-commons-collections [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.1-24.1.mga5.noarch is already installed Installs cleanly Install apache-commons-collections from updates_testing [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.2-1.mga5.noarch is already installed Updates cleanly Whiteboard:
MGA5-32-OK =>
MGA5-32-OK MGA5-64-OK For me this update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update Ensured no conflicts with the other packages and javadoc correctly obsoleted. Advisory uploaded. Whiteboard:
MGA5-32-OK MGA5-64-OK =>
has_procedure advisory MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0137.html Status:
NEW =>
RESOLVED This update also fixed two other issues: https://nvd.nist.gov/vuln/detail/CVE-2015-6420 https://nvd.nist.gov/vuln/detail/CVE-2017-15708 |