Bug 19715

Summary: perl-XML-Twig new security issue CVE-2016-9180
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Jerome Quelin <jquelin>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: perl-XML-Twig-3.490.0-3.mga6.src.rpm CVE: CVE-2016-9180
Status comment:

Description David Walser 2016-11-04 15:27:48 CET 
A CVE has been assigned for an XXE issue in XML::Twig:
http://openwall.com/lists/oss-security/2016/11/04/2

No fix is available yet.
David Walser 2016-11-04 15:27:55 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-04 23:45:21 CET 
Already assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => jquelin

Nicolas Lécureuil 2016-11-16 18:05:33 CET

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2016-11-16 18:08:52 CET 
Fixed in cauldron and pushed in mga5 updates_testing
SRPMS:  perl-Image-Info-1.360.0-4.1.mga5

Assignee: jquelin => qa-bugs

Comment 3 Nicolas Lécureuil 2016-11-16 18:15:44 CET 
SRPMS:  perl-Image-Info-1.380.0-1.mga5
Nicolas Lécureuil 2016-11-16 18:17:12 CET

Assignee: qa-bugs => bugsquad

Comment 4 David Walser 2016-11-16 19:14:04 CET 
This bug is for perl-XML-Twig.

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Samuel Verschelde 2016-11-17 09:27:31 CET

Assignee: bugsquad => jquelin

Nicolas Lécureuil 2017-04-27 13:32:43 CEST

CVE: (none) => CVE-2016-9180

Comment 5 Nicolas Lécureuil 2017-04-27 18:19:32 CEST 
Fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 6 David Walser 2017-12-27 04:30:49 CET 
(In reply to Nicolas Lécureuil from comment #5)
> Fixed in cauldron

Are you sure?  I just looked at it and it appears there's still no fix upstream for this.
Comment 7 David Walser 2017-12-29 04:09:59 CET 
Switching this to Mageia 6/Cauldron since it hasn't actually been fixed.

Whiteboard: (none) => MGA6TOO
Version: 5 => Cauldron

Comment 8 David Walser 2017-12-29 04:11:40 CET 
I suppose we could have updated Mageia 5 to 3.52, but it wouldn't fix the fact that expand_external_ents is not respected, so if we have any code relying on that, it wouldn't be automatically fixed, it'd have to be patched to make use of the new no_xxe flag that was added.  So, too late for this to be of much use.
David Walser 2018-02-02 18:13:38 CET

Status comment: (none) => Not fixed upstream as of end of 2017

Comment 9 David Walser 2019-01-21 02:51:30 CET 
Doesn't look like any packages depending on it reference expand_external_ents, so let's call this fixed.

Resolution: (none) => FIXED
Whiteboard: MGA6TOO => (none)
Status: NEW => RESOLVED
Status comment: Not fixed upstream as of end of 2017 => (none)