Bug 22029

Summary: cxf new security issue CVE-2017-12624 (and possibly several older ones)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: cxf-3.1.6-6.mga7.src.rpm CVE:
Status comment: Fixed upstream in 3.1.14
Bug Depends on: 23249    
Bug Blocks:    

Description David Walser 2017-11-15 12:18:51 CET 
Upstream has issued an advisory on November 14:
http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

The issue is fixed upstream in 3.1.14, and a link to the commit that fixed it is in the message above.

Mageia 6 is also affected.

We may also be affected by these older advisories that were fixed in versions after 3.1.6:
http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc
http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc
http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc
http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc

As I recall, this package was dropped due to being unnecessary.  I don't know why it was re-imported.
David Walser 2017-11-15 12:19:07 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO

David Walser 2018-02-02 18:22:29 CET

Status comment: (none) => Fixed upstream in 3.1.14, package should probably be dropped

David Walser 2019-01-01 04:57:24 CET

Depends on: (none) => 23249

David Walser 2019-06-23 19:29:11 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:04:25 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 1 David Walser 2020-11-14 22:45:47 CET 
Package has been (mercifully) dropped from Cauldron.

Status comment: Fixed upstream in 3.1.14, package should probably be dropped => Fixed upstream in 3.1.14
Whiteboard: MGA7TOO => (none)

David Walser 2020-11-14 22:47:31 CET

Version: Cauldron => 7

Comment 2 David Walser 2021-07-01 18:14:10 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED