| Summary: | xerces-j2 new DoS security issue | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nic Baxter <nic> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, mageia, makowski.mageia, marja11, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/686293/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | xerces-j2-2.11.0-25.mga6.src.rpm | CVE: | http://lwn.net/Alerts/686276/ |
| Status comment: | |||
|
Description
Nic Baxter
2016-05-05 06:18:42 CEST
I don't know if this vulnerability needs reporting so I am using this to learn more about the process. I can't read the reference quoted (https://bugzilla.suse.com/814241) as I don't have permission. Our latest changelog reads: Wed Feb 24 2016 neoclust <neoclust> 2.11.0-25.mga6 + Revision: 978554 - First rebuild of the java stack - sync package xerces-j2 with fedora + umeabot - Mageia 6 Mass Rebuild OK so look at Fedora 23 Changelog for xerces-j2-2.11.0-23.fc23.noarch.rpm : Fri Jun 19 14:00:00 2015 Fedora Release Engineering - 2.11.0-23 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild Wed Sep 10 14:00:00 2014 Mat Booth - 2.11.0-22 - Add patch for CVE-2013-4002, rhbz #1140031 - Fix ownership of javadoc directory Mon Aug 11 14:00:00 2014 Mikolaj Izdebski - 2.11.0-21 - Workaround regression in %add_maven_depmap -a parameter handling Mon Aug 11 14:00:00 2014 Mikolaj Izdebski - 2.11.0-20 - Add alias for apache:xerces-j2 Sun Jun 8 14:00:00 2014 Fedora Release Engineering - 2.11.0-19 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild No mention of DOS via long attribute names. So is this reportable and what would be the next stage? CVE:
(none) =>
http://lwn.net/Alerts/686276/ OpenSuSE has issued an advisory for this on May 4: https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html You can see the two patches they added here: https://build.opensuse.org/package/show/openSUSE:13.2:Update/xerces-j2 Someone can check if they're relevant to our package. URL:
(none) =>
http://lwn.net/Vulnerabilities/686293/ (In reply to David Walser from comment #2) > OpenSuSE has issued an advisory for this on May 4: > https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html > > You can see the two patches they added here: > https://build.opensuse.org/package/show/openSUSE:13.2:Update/xerces-j2 > > Someone can check if they're relevant to our package. Assigning to all packagers collectively for that, since there is no maintainer for this package. CC:
(none) =>
makowski.mageia, marja11
Nicolas Lécureuil
2016-05-12 22:11:37 CEST
CC:
(none) =>
mageia xerces-j2-scan-pseudo-attribute.patch is already in the package as xerces-j2-CVE-2013-4002.patch. xerces-j2-arrays-doubling.patch has been added in Mageia 5 and Cauldron. Advisory: ======================== Updated xerces-j2 packages fix security vulnerability: A possible denial of service issue from overflowing an array has been fixed in the xerces-j2 package. References: https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html ======================== Updated packages in core/updates_testing: ======================== xerces-j2-2.11.0-14.1.mga5 xerces-j2-javadoc-2.11.0-14.1.mga5 xerces-j2-demo-2.11.0-14.1.mga5 from xerces-j2-2.11.0-14.1.mga5.src.rpm CC:
(none) =>
geiger.david68210 Testing on x86_64 hardware. xerces is a package concerned with parsing xml data. Before the update freeplane ran fine. It is listed as one of the whatrequires. Could not find how to access the xerces-j2 demo programs but there is a sample program available in the documentation which will be added as an attachment some time to exercise the package via nekohtml. Updated the three packages from updates testing and ran freeplane again. This is a mind-mapping application presented in a java gui. $ freeplane Launches the gui with a sample mind-map. Clicking on calculate takes you to a tutorial of sorts in a browser. Goto the meet note and click on beginner. This uses the icedtea browser plugin to show ideas for a planned meeting. Clicking on the tips of some of the branches gives more details. It all works smoothly. Back in the gui filter leads to an in-gui freeplane tutorial. OK for 64-bits. CC:
(none) =>
tarazed25
Len Lawrence
2016-05-20 21:13:35 CEST
Whiteboard:
(none) =>
MGA5-64-OK Tested in i586 virtualbox using freeplane both before and after the update. Followed a couple of links to web tutorials. All looks fine. Good enough to validate.
Len Lawrence
2016-05-20 23:14:46 CEST
Whiteboard:
MGA5-64-OK =>
MGA5-64-OK MGA5-32-OK
Len Lawrence
2016-05-20 23:15:02 CEST
Keywords:
(none) =>
validated_update
Rémi Verschelde
2016-05-22 18:18:42 CEST
Whiteboard:
MGA5-64-OK MGA5-32-OK =>
MGA5-64-OK MGA5-32-OK advisory An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0205.html Status:
NEW =>
RESOLVED openSUSE has issued another advisory referencing this issue: https://lists.opensuse.org/opensuse-updates/2017-10/msg00076.html I think they just forgot to patch this issue in Leap before. They did fix two new regular bugs though, and we should probably at least add the new patch in Cauldron: https://build.opensuse.org/package/rdiff/openSUSE:Maintenance:7388/xerces-j2.openSUSE_Leap_42.2_Update?linkrev=base&rev=2 Apparently the code already has the changes from that patch, so we're good. |