Bug 23249

Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954, CVE-2021-22696, CVE-2021-30468
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: cxf-3.1.6-6.mga7.src.rpm CVE:
Status comment: Fixed upstream in 3.3.11
Bug Depends on:    
Bug Blocks: 22029    

Description David Walser 2018-06-29 00:30:49 CEST 
Apache has issued an advisory today (June 28):
http://openwall.com/lists/oss-security/2018/06/28/1

The issue is fixed upstream in 3.1.16.

Mageia 6 is also affected.

IIRC, this package is not needed and has been dropped before, so if that's still the case it should be dropped again from Cauldron.  Unfortunately it was re-imported before Mageia 6, so still needs to be fixed there.
David Walser 2018-06-29 00:31:06 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 3.1.16

David Walser 2019-01-01 04:57:24 CET

Blocks: (none) => 22029

David Walser 2019-06-23 19:30:58 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 1 David Walser 2019-11-09 14:50:51 CET 
Apache has issued advisories on November 5:
https://www.openwall.com/lists/oss-security/2019/11/05/2
https://www.openwall.com/lists/oss-security/2019/11/05/3

The issues are fixed upstream in 3.2.11 and 3.3.4.

Status comment: Fixed upstream in 3.1.16 => Fixed upstream in 3.2.11
Summary: cxf new security issue CVE-2018-8039 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419

Comment 2 David Walser 2020-01-17 00:46:51 CET 
Apache has issued advisories today (January 16);
https://www.openwall.com/lists/oss-security/2020/01/16/3
https://www.openwall.com/lists/oss-security/2020/01/16/4

The issues are fixed upstream in 3.2.12 and 3.3.5.

Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573
Status comment: Fixed upstream in 3.2.11 => Fixed upstream in 3.2.12

Comment 3 David Walser 2020-04-02 03:06:45 CEST 
Apache has issued an advisory today (April 1):
https://www.openwall.com/lists/oss-security/2020/04/01/2

The issue is fixed upstream in 3.2.13 and 3.3.6.

Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Status comment: Fixed upstream in 3.2.12 => Fixed upstream in 3.2.13

Comment 4 David Walser 2020-11-14 22:47:09 CET 
Package has been (mercifully) dropped from Cauldron.

Apache has issued an advisory on November 12:
https://www.openwall.com/lists/oss-security/2020/11/12/2

The issue is fixed upstream in 3.3.8 and 3.4.1.

Whiteboard: MGA7TOO => (none)
Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954
Version: Cauldron => 7
Status comment: Fixed upstream in 3.2.13 => Fixed upstream in 3.3.8

Comment 5 David Walser 2021-04-04 17:55:43 CEST 
Apache has issued an advisory on April 2:
https://www.openwall.com/lists/oss-security/2021/04/02/2

The issue is fixed upstream in 3.3.10 and 3.4.3.

Status comment: Fixed upstream in 3.3.8 => Fixed upstream in 3.3.10
Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954, CVE-2021-22696

Comment 6 David Walser 2021-06-16 19:04:34 CEST 
Apache has issued an advisory today (June 16):
https://www.openwall.com/lists/oss-security/2021/06/16/2

The issue is fixed upstream in 3.3.11 and 3.4.4.

Summary: cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954, CVE-2021-22696 => cxf new security issues CVE-2018-8039, CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573, CVE-2020-1954, CVE-2020-13954, CVE-2021-22696, CVE-2021-30468
Status comment: Fixed upstream in 3.3.10 => Fixed upstream in 3.3.11

Comment 7 David Walser 2021-07-01 18:16:39 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED