Bug 26481

Summary: quartz new security issue CVE-2019-13990
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-13990
Whiteboard: MGA7-64-OK
Source RPM: quartz-2.2.1-10.mga8.src.rpm CVE: CVE-2019-13990
Status comment:

Description David Walser 2020-04-14 22:29:33 CEST 
SUSE has issued an advisory today (April 14):
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html

Mageia 7 is also affected.
Zombie Ryushu 2020-12-19 19:58:36 CET

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2019-13990
CVE: (none) => CVE-2019-13990
CC: (none) => zombie_ryushu

Comment 1 Nicolas Lécureuil 2020-12-27 15:42:32 CET 
not available in cauldron anymore

Version: Cauldron => 7
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-03-10 07:58:11 CET 
Fixed in mga7:

    src:
         - quartz-2.2.1-9.1.mga7

Assignee: java => qa-bugs

Comment 3 David Walser 2021-03-10 18:21:20 CET 
Advisory:
========================

Updated quartz packages fix security vulnerability:

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz
Scheduler through 2.3.0 allows XXE attacks via a job description
(CVE-2019-13990).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990
https://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html
========================

Updated packages in core/updates_testing:
========================
quartz-2.2.1-9.1.mga7
quartz-javadoc-2.2.1-9.1.mga7

from quartz-2.2.1-9.1.mga7.src.rpm
Comment 4 Thomas Andrews 2021-03-11 23:06:50 CET 
No installation issues.

Searched in vain for a previous update of quartz. Looked at the file list, saw a read.me, no help there. Lots of html files in quartz-javadoc, all developer-type stuff beyond ordinary QA testing. Description reads:

Quartz is a job scheduling system that can be integrated with, or used along side virtually any J2EE or J2SE application. Quartz can be used to create simple or complex schedules for executing tens, hundreds, or even tens-of-thousands of jobs; jobs whose tasks are defined as standard Java components or EJBs.

Sounds far too complex for QA. Since Comment 1 indicates this has been dropped from Mageia 8, I'm going to pass this along on a clean install. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-03-14 17:19:18 CET 
Advisory committed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-03-14 22:22:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0133.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED