Bug 27555

Summary: junit new security issue CVE-2020-15250
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mhrambo3501, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: junit-4.13-2.mga8.src.rpm CVE:
Status comment: Fixed upstream in 4.13.1
Attachments: Primary test file
To test the test file

Description David Walser 2020-11-02 18:21:47 CET 
Debian-LTS has issued an advisory on November 1:
https://www.debian.org/lts/security/2020/dla-2426

The issue is fixed upstream in 4.13.1:
https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp

Mageia 7 is also affected.
David Walser 2020-11-02 18:22:03 CET

Status comment: (none) => Fixed upstream in 4.13.1
Whiteboard: (none) => MGA7TOO

Comment 1 Mike Rambo 2020-11-05 15:27:14 CET 
Upgraded cauldron to version 4.13.1.


Patched package uploaded for Mageia 7.

Advisory:
========================

Updated junit package fixes security vulnerability:

It was discovered that junit contained a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability (CVE-2020-15250).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
https://www.debian.org/lts/security/2020/dla-2426
========================

Updated packages in core/updates_testing:
========================
junit-4.12-7.1.mga7.noarch.rpm
junit-javadoc-4.12-7.1.mga7.noarch.rpm
junit-manual-4.12-7.1.mga7.noarch.rpm

from junit-4.12-7.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: java => qa-bugs
CC: (none) => mrambo

Comment 2 Herman Viaene 2020-11-07 11:31:47 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Found https://github.com/junit-team/junit4/wiki/Getting-started for testing, just limiited myself to the  successfull test.
I will upload the test files, but for future reference: don't forget to copy the jar's to the working directory.
$ javac Calculator.java

$ javac -cp .:junit.jar:core.jar CalculatorTest.java


$ java -cp .:junit.jar:core.jar org.junit.runner.JUnitCore CalculatorTest
JUnit version 4.12
.
Time: 0.021

OK (1 test)

OK'ing unless someone else has another idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Herman Viaene 2020-11-07 11:32:45 CET 
Created attachment 11980 [details]
Primary test file
Comment 4 Herman Viaene 2020-11-07 11:33:20 CET 
Created attachment 11981 [details]
To test the test file
Comment 5 Thomas Andrews 2020-11-07 22:35:28 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2020-11-08 11:44:47 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-11-08 15:15:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0403.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED