| Summary: | dom4j new security issues CVE-2018-1000632 and CVE-2020-10683 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs, zombie_ryushu |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | dom4j-2.0.0-4.mga7.src.rpm | CVE: | CVE-2020-10683 |
| Status comment: | |||
|
Description
David Walser
2019-10-22 19:32:59 CEST
David Walser
2019-10-22 19:33:09 CEST
Whiteboard:
(none) =>
MGA7TOO
David Walser
2020-01-14 17:46:31 CET
Status comment:
(none) =>
Fixed upstream in 2.0.3 Debian-LTS has issued an advisory on May 1: https://www.debian.org/lts/security/2020/dla-2191 The issue is fixed upstream in 2.0.3 and 2.1.3, according to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1694235 The SUSE bug has links to upstream commits that fixed the issue: https://bugzilla.suse.com/show_bug.cgi?id=1169760 Summary:
dom4j new security issue CVE-2018-1000632 =>
dom4j new security issues CVE-2018-1000632 and CVE-2020-10683 Ubuntu has issued an advisory for this first issue today (November 5): https://ubuntu.com/security/notices/USN-4619-1
Zombie Ryushu
2020-12-06 03:32:35 CET
CVE:
(none) =>
CVE-2020-10683 Fixed in dom4j-2.0.0-6.mga8. Version:
Cauldron =>
7 fixed in mga7
src:
dom4j-2.0.0-4.1.mga7CC:
(none) =>
mageia CVE-2018-1000632 was already patched before Mageia 7. Advisory: ======================== Updated dom4j packages fix security vulnerability: A flaw was found in the dom4j library. By using the default SaxReader() provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE (CVE-2020-10683). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683 https://www.debian.org/lts/security/2020/dla-2191 ======================== Updated packages in core/updates_testing: ======================== dom4j-2.0.0-4.1.mga7 dom4j-javadoc-2.0.0-4.1.mga7 from dom4j-2.0.0-4.1.mga7.src.rpm Status comment:
Fixed upstream in 2.0.3, patches in Cauldron =>
(none) From Wikipedia: "dom4j is an open-source Java library for working with XML, XPath and XSLT. It is compatible with DOM, SAX and JAXP standards." This sounds like developer stuff, and beyond the scope of QA. Passing this on the basis of a clean install. Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update No installation issues. Reaching all the way back to Bug 13326 for a testing procedure... (Thank you, Claire!) $ python Python 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from lxml.html.clean import clean_html >>> >>> html = '''\ ... <html> ... <body> ... <a href="javascript:alert(0)"> ... aaa</a> ... <a href="javas\x01cript:alert(1)">bbb</a> ... <a href="javas\x02cript:alert(1)">bbb</a> ... <a href="javas\x03cript:alert(1)">bbb</a> ... <a href="javas\x04cript:alert(1)">bbb</a> ... <a href="javas\x05cript:alert(1)">bbb</a> ... <a href="javas\x06cript:alert(1)">bbb</a> ... <a href="javas\x07cript:alert(1)">bbb</a> ... <a href="javas\x08cript:alert(1)">bbb</a> ... <a href="javas\x09cript:alert(1)">bbb</a> ... </body> ... </html>''' >>> >>> print clean_html(html) <div> <body> <a href=""> aaa</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> </body> </div> This result is the same as that in Bug 13326, so I'm passing this on. Validating. Advisory in Comment 5. oops. Comment 7 is for another bug. Advisory pushed to SVN. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0034.html Status:
NEW =>
RESOLVED |