Bug 19029

Summary: apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, mageia, mageia
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1434522
Whiteboard:
Source RPM: apache-poi-3.14-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 3.17

Description David Walser 2016-07-22 22:31:51 CEST 
Upstream has issued an advisory today (July 22):
http://openwall.com/lists/oss-security/2016/07/22/2

The issue is fixed in 3.14.

Fedora Rawhide has 3.14 (24 is still on 3.13).

Mageia 5 is also affected.
David Walser 2016-07-22 22:32:02 CEST

CC: (none) => geiger.david68210

David Walser 2016-08-11 21:18:03 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-03-21 00:44:07 CET 
Upstream has issued an advisory today (March 20):
http://openwall.com/lists/oss-security/2017/03/20/9

The issue is fixed in 3.15.

Summary: apache-poi new security issue CVE-2016-5000 => apache-poi new security issues CVE-2016-5000 and CVE-2017-5644

Comment 2 Nicolas Lécureuil 2017-05-18 09:24:42 CEST 
have now apache-poi 3.14.

Looking to upgrade to a newer if possible
Nicolas Lécureuil 2017-05-18 10:32:56 CEST

See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1434522

Nicolas Lécureuil 2017-05-26 13:34:49 CEST

Source RPM: apache-poi-3.13-2.mga6.src.rpm => apache-poi-3.14-1.mga6.src.rpm

David Walser 2017-06-05 01:38:07 CEST

Status comment: (none) => Fixed upstream in 3.15

David Walser 2017-07-07 04:23:24 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 3 David Walser 2017-12-27 01:02:06 CET 
We still need to fix this, but won't be for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 4 Marc Krämer 2018-01-17 18:34:54 CET 
Is Nicolas still with us?
I see a bunch of bugs assigned to him, but no progress anymore. Maybe we should assign it back to "All packagers"

CC: (none) => mageia

Comment 5 David Walser 2018-01-17 18:52:09 CET 
He is, but the bugs for Java packages don't tend to get a lot of attention.  It's further complicated by the fact that when Fedora does these kind of issues, sometimes try to sync in their update breaks things, and other times even Fedora neglects to fix security issues.
Comment 6 David Walser 2018-04-27 18:55:00 CEST 
Fedora has issued an advisory today (April 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/STKLIH57QLIVDD6JBCDLQTSNP5AIBRDD/

A new issue is fixed upstream in 3.17.

Summary: apache-poi new security issues CVE-2016-5000 and CVE-2017-5644 => apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626
Status comment: Fixed upstream in 3.15 => Fixed upstream in 3.17

Comment 7 David Walser 2019-01-01 04:56:40 CET 
Updated to 3.17 in Cauldron by David Geiger.

Version: Cauldron => 6
CC: (none) => mageia
Assignee: mageia => java
Whiteboard: MGA6TOO => (none)

Comment 8 David Walser 2019-01-01 04:58:49 CET 
Upstream has issued an advisory on January 26 for CVE-2017-12626:
http://openwall.com/lists/oss-security/2018/01/26/7
Comment 9 David Walser 2019-01-01 04:59:09 CET 
*** Bug 22472 has been marked as a duplicate of this bug. ***
Comment 10 David Walser 2019-10-23 13:03:16 CEST 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD