Bug 19590

Summary: derby new security issue CVE-2015-1832
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, geiger.david68210, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703609/
Whiteboard: mga5-64-ok advisory
Source RPM: derby-10.10.2.0-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-10-14 21:19:36 CEST 
openSUSE has issued an advisory today (October 14):
https://lists.opensuse.org/opensuse-updates/2016-10/msg00051.html

Cauldron may also be affected.
Comment 1 David GEIGER 2016-10-24 21:08:19 CEST 
Fixed for both mga5 and Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2016-10-24 21:15:55 CEST 
Thanks David!

Advisory:
========================

Updated derby packages fix security vulnerability:

Apache Derby could allow a remote attacker to obtain sensitive information,
caused by a XML external entity (XXE) error when processing XML data by the XML
datatype and XmlVTI. An attacker could exploit this vulnerability to read
arbitrary files on the system or cause a denial of service (CVE-2016-1832).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832
https://lists.opensuse.org/opensuse-updates/2016-10/msg00051.html
========================

Updated packages in core/updates_testing:
========================
derby-10.10.2.0-1.1.mga5
derby-javadoc-10.10.2.0-1.1.mga5

from derby-10.10.2.0-1.1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 3 Brian Rockwell 2016-10-29 23:20:29 CEST 
running VB  Mageia-5 64 bit

After installing the derby packages I rebooted the instance.

$ps -ef | grep derby 

reveals it is running


$ cd /usr/bin

$ derby-ij

Next I follow the instructions in:  

https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/getstart/index.html

start at step 5.

After doing that I was able to confirm derby server is running and working as designed.

ij> SELECT * FROM SECONDTABLE;
ID         |NAME          
--------------------------
100        |ONE HUNDRED   
200        |TWO HUNDRED   
300        |THREE HUNDRED 

3 rows selected


I get the following when closing

ij> exit;
Sat Oct 29 16:18:43 CDT 2016 Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied)
----------------------------------------------------------------
Sat Oct 29 16:18:43 CDT 2016: Shutting down Derby engine
----------------------------------------------------------------

derby.log is sitting in /var/lib/derby - my user id doesn't have permission.

However, I've confirmed this version of the database is up and running.

CC: (none) => brtians1
Whiteboard: (none) => mga5-64-ok

Comment 4 Lewis Smith 2016-11-01 21:01:29 CET 
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: mga5-64-ok => mga5-64-ok advisory

Dave Hodgins 2016-11-17 20:14:17 CET

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-11-18 00:41:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0385.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2016-11-18 17:27:55 CET 
CVE was incorrect the advisory in SVN.  I corrected it there, so hopefully that gets propagated to the website soon.