Bug 25765

Summary: apache-commons-beanutils new security issue CVE-2019-10086
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: apache-commons-beanutils-1.9.3-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-11-26 22:07:01 CET 
openSUSE has issued an advisory on September 3:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html

The issue is fixed upstream in 1.9.4.
David Walser 2019-11-26 22:07:11 CET

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2019-11-27 14:40:51 CET 
Done updating to 1.9.4 release!

Also note that I have to rebuild apache-commons-collections to regenerate OSGi metadata and to make it build.
Comment 2 David Walser 2019-11-27 18:38:25 CET 
Advisory:
========================

Updated apache-commons-beanutils packages fix security vulnerability:

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not
using this by default characteristic of the PropertyUtilsBean (CVE-2019-10086).

Also, the apache-commons-collections package has been rebuilt to regenerate the
OSGi metadata, to allow the apache-commons-beanutils package to build.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html
========================

Updated packages in core/updates_testing:
========================
apache-commons-collections-3.2.2-7.1.mga7
apache-commons-collections-testframework-3.2.2-7.1.mga7
apache-commons-collections-javadoc-3.2.2-7.1.mga7
apache-commons-beanutils-1.9.4-1.mga7
apache-commons-beanutils-javadoc-1.9.4-1.mga7

from SRPMS:
apache-commons-collections-3.2.2-7.1.mga7.src.rpm
apache-commons-beanutils-1.9.4-1.mga7.src.rpm

Assignee: java => qa-bugs

Comment 3 Herman Viaene 2019-12-17 09:46:52 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
httpd was not running before installation.
After installation:
# systemctl  start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-12-17 09:44:54 CET; 4s ago
 Main PID: 32109 (httpd)
   Status: "Processing requests..."
   Memory: 12.4M
   CGroup: /system.slice/httpd.service
           ├─32109 /usr/sbin/httpd -DFOREGROUND
           ├─32111 /usr/sbin/httpd -DFOREGROUND
           ├─32112 /usr/sbin/httpd -DFOREGROUND
           ├─32113 /usr/sbin/httpd -DFOREGROUND
           ├─32115 /usr/sbin/httpd -DFOREGROUND
           └─32116 /usr/sbin/httpd -DFOREGROUND

dec 17 09:44:54 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
dec 17 09:44:54 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

I have no idea for further tests, no previous updates found.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-12-17 13:24:44 CET 
This package has nothing to do with Apache.  It's Java stuff.  Just test that it updates cleanly and that's sufficient.
Herman Viaene 2019-12-17 13:39:01 CET

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2019-12-17 17:58:20 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-19 13:24:27 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-12-19 14:45:55 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0399.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED