| Summary: | httpcomponents-client new security issue CVE-2020-13956 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | httpcomponents-client-4.5.10-1.mga8.src.rpm | CVE: | CVE-2020-13956 |
| Status comment: | |||
|
Description
David Walser
2020-10-11 18:25:12 CEST
David Walser
2020-10-11 18:25:20 CEST
Whiteboard:
(none) =>
MGA7TOO Debian-LTS has issued an advisory for this on October 10: https://www.debian.org/lts/security/2020/dla-2405 Debian has issued an advisory for this on October 14: https://www.debian.org/security/2020/dsa-4772 Fix pushed in mageia cauldron Whiteboard:
MGA7TOO =>
(none) fix pushed in maga7:
src:
httpcomponents-client-4.5.5-1.1.mga7Assignee:
java =>
qa-bugs Saving advisory, but assigning back to Java team for jakarta-commons-httpclient which hasn't been fixed (Mageia 7) and dropped (Cauldron) yet. Advisory: ======================== Updated httpcomponents-client packages fix security vulnerability: Priyank Nigam discovered that HttpComponents Client could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution (CVE-2020-13956). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 https://www.debian.org/security/2020/dsa-4772 ======================== Updated packages in core/updates_testing: ======================== httpcomponents-client-4.5.5-1.1.mga7 httpcomponents-client-cache-4.5.5-1.1.mga7 httpcomponents-client-javadoc-4.5.5-1.1.mga7 from httpcomponents-client-4.5.5-1.1.mga7.src.rpm Whiteboard:
(none) =>
MGA7TOO
David Walser
2020-12-27 21:01:01 CET
Status comment:
(none) =>
jakarta-commons-httpclient also needs to be addressed i don't think jakarta-commons-httpclient is affected. We don't plan to drop jakarta-commons-httpclient yet. (In reply to Nicolas Lécureuil from comment #6) > i don't think jakarta-commons-httpclient is affected. Do you have any basis for that? They are based on the same code. See Bug 13932 and Bug 16870, for instance. > We don't plan to drop jakarta-commons-httpclient yet. It should have been dropped a long time ago, but I know Fedora needs to help us with that. there is still fop using it, we need to get rid of this package in fop first. if time allows we can work on it i remove the deps from fop jakarta-commons-httpclient is not in cauldron anymore Whiteboard:
MGA7TOO =>
(none)
Nicolas Lécureuil
2021-01-01 23:52:20 CET
Version:
Cauldron =>
7 (In reply to Nicolas Lécureuil from comment #10) > jakarta-commons-httpclient is not in cauldron anymore Thanks. Please see my note in the other bug: https://bugs.mageia.org/show_bug.cgi?id=18700#c7 Doesn't look like jakarta-commons-httpclient contains the affected code. Advisory in Comment 5. Status comment:
jakarta-commons-httpclient also needs to be addressed =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 16870 for decision to OK on clean install. Whiteboard:
(none) =>
MGA7-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Aurelien Oudelet
2021-07-05 20:40:22 CEST
CVE:
(none) =>
CVE-2020-13956 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0314.html Resolution:
(none) =>
FIXED |