Bug 24817

Summary: resteasy new security issue CVE-2016-6346
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, nicolas.salguero, zombie_ryushu
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: resteasy-3.0.19-2.mga7.src.rpm CVE:
Status comment: Fixed upstream in 3.5.1
Bug Depends on: 27750    
Bug Blocks:    

Description David Walser 2019-05-14 20:20:06 CEST
RedHat has issued an advisory today (May 14):
https://access.redhat.com/errata/RHSA-2019:1222

Wasn't easy to find, but resteasy is bundled in candlepin, and they updated this CVE by updating resteasy to 3.5.1.  Not sure if there's a 3.0.x with the fix.
David Walser 2019-05-14 20:20:25 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2019-06-23 19:14:46 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

David Walser 2020-01-14 18:09:50 CET

Status comment: (none) => Fixed upstream in 3.5.1

Nicolas Lécureuil 2020-05-22 14:05:49 CEST

CC: (none) => mageia
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 1 Zombie Ryushu 2020-12-05 14:21:47 CET
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-25633
CC: (none) => zombie_ryushu
CVE: (none) => CVE-2020-25633

Zombie Ryushu 2020-12-05 14:22:23 CET

Summary: resteasy new security issue CVE-2016-6346 => resteasy new security issue CVE-2016-6346 CVE-2020-25633

David Walser 2020-12-05 14:37:52 CET

Depends on: (none) => 27750

David Walser 2020-12-05 14:38:05 CET

Depends on: 27750 => (none)
Summary: resteasy new security issue CVE-2016-6346 CVE-2020-25633 => resteasy new security issue CVE-2016-6346
CVE: CVE-2020-25633 => (none)

David Walser 2020-12-05 14:38:20 CET

Depends on: (none) => 27750

David Walser 2020-12-28 17:16:41 CET

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-25633 => (none)

David Walser 2020-12-29 00:24:08 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 2 Nicolas Lécureuil 2021-01-04 21:30:55 CET
currently working to update it.
Comment 3 David Walser 2021-07-01 18:45:33 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 4 Nicolas Salguero 2024-03-14 11:24:32 CET
That issue was fixed in 3.0.20 and Mageia 8 had 3.0.26

Resolution: (none) => OLD
Whiteboard: MGA8TOO => (none)
Status: NEW => RESOLVED
CC: (none) => nicolas.salguero
Version: Cauldron => 8