| Summary: | jackson-dataformat-xml new security issue CVE-2016-3720 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David GEIGER <geiger.david68210> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/687596/ | ||
| Whiteboard: | advisory MGA5-64-OK | ||
| Source RPM: | jackson-dataformat-xml-2.6.3-3.mga6 | CVE: | |
| Status comment: | |||
| Attachments: |
Suggested java insert for test program
Serialization test for Simple.java class tarfile containing test files for jackson-dataformat-xml |
||
|
David GEIGER
2016-05-05 23:25:27 CEST
QA Contact:
(none) =>
security
David GEIGER
2016-05-05 23:25:43 CEST
Assignee:
bugsquad =>
geiger.david68210
David GEIGER
2016-05-05 23:46:09 CEST
Component:
RPM Packages =>
Security
David Walser
2016-05-05 23:52:19 CEST
Whiteboard:
(none) =>
MGA5TOO Fixed for Cauldron and mga5 too!
Assigning to QA,
Advisory:
========================
Updated jackson-dataformat-xml packages fix security vulnerability:
It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference") (CVE-2016-3720).
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720
========================
Updated packages in 5/core/updates_testing:
========================
jackson-dataformat-xml-2.4.3-3.1.mga5
jackson-dataformat-xml-javadoc-2.4.3-3.1.mga5
Source RPM:
========================
jackson-dataformat-xml-2.4.3-3.1.mga5.src.rpmAssignee:
geiger.david68210 =>
qa-bugs
claire robinson
2016-05-06 11:32:05 CEST
Version:
Cauldron =>
5 Thanks David! Maybe we should add the RedHat bug to the references too? https://bugzilla.redhat.com/show_bug.cgi?id=1328427 Yes we can :)
So please use this updated advisory:
Advisory:
========================
Updated jackson-dataformat-xml packages fix security vulnerability:
It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference") (CVE-2016-3720).
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720
https://bugzilla.redhat.com/show_bug.cgi?id=1328427
========================
Created attachment 7774 [details]
Suggested java insert for test program
Examples need java headers etc. Run as e.g. java -jar test.jarCC:
(none) =>
tarazed25 A simple test for this package looks easy to write, if you are a java programmer. From the documentation at https://github.com/FasterXML/jackson-dataformat-xml and http://stackoverflow.com/questions/3527264/how-to-create-a-pojo a POJO (PlainOldJavaObject) could be serialized and presumably deserialized with XmlMapper, part of the Jackson extension. Not having any java expertise, I have taken the liberty of attaching example POJOs from the documentation together with suggested usage. All they need is a java framework I think. Created attachment 7791 [details]
Serialization test for Simple.java class
Don't rename this or any of the files.
Attachment 7774 is obsolete:
0 =>
1 Other attachments to follow. The serialization and deserialization work fine so this can be passed for x86_64. In accordance with the policy of accepting tests of only one architecture it can be validated also. Shall polish up the tests later.
Len Lawrence
2016-05-13 10:42:50 CEST
Keywords:
(none) =>
validated_update Well done. Advisory uploaded. Whiteboard:
MGA5-64-OK =>
advisory MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0175.html Status:
NEW =>
RESOLVED Created attachment 7795 [details]
tarfile containing test files for jackson-dataformat-xml
The tests run in a Bash shell.
Attachment 7791 is obsolete:
0 =>
1
David Walser
2016-05-17 21:19:43 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/687596/ |
It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference"). The issue should be fixed by applying the upstream patch: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 Mageia 5 is also affected. More info on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1328427 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720