Bug 27794

Summary: resteasy new security issue CVE-2020-1695
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: resteasy-3.0.19-2.mga7.src.rpm CVE: CVE-2020-1695
Status comment:
Bug Depends on:    
Bug Blocks: 27750    

Description David Walser 2020-12-09 23:55:42 CET 
Fedora has issued an advisory today (December 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/

The issue is fixed upstream in 3.12.0, but they patched 3.0.26.

Mageia 7 is also affected.
David Walser 2020-12-09 23:55:52 CET

Whiteboard: (none) => MGA7TOO
Blocks: (none) => 27750

Comment 1 Lewis Smith 2020-12-10 19:51:53 CET 
Assigning to DavidG as having done the last significant update to this.
CC'ing NicolasL as listed historically for the SRPM, in case!

Assignee: bugsquad => geiger.david68210
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2020-12-25 23:28:02 CET 
fixed for cauldron

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-12-26 16:43:01 CET 
Advisory:
========================

Updated resteasy packages fix security vulnerability:
 	
A flaw was found in Resteasy, where an improper input validation results in
returning an illegal header that integrates into the server's response. This
flaw may result in an injection, which leads to unexpected behavior when the
HTTP response is constructed (CVE-2020-1695).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/
========================

Updated packages in core/updates_testing:
========================
resteasy-3.0.26-2.mga7
resteasy-javadoc-3.0.26-2.mga7
resteasy-core-3.0.26-2.mga7
resteasy-atom-provider-3.0.26-2.mga7
resteasy-jackson2-provider-3.0.26-2.mga7
resteasy-jaxb-provider-3.0.26-2.mga7
resteasy-client-3.0.26-2.mga7

from resteasy-3.0.26-2.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 4 Thomas Andrews 2021-01-13 20:11:19 CET 
After reading about previous resteasy updates in bug 13870 and bug 19718, I saw that a clean install was deemed sufficient as a test, so...

I installed resteasy from the repos. This drew in 119 dependencies, including all of the above packages except for resteasy-javadoc, so I followed up by installing that, too.

I then used QA Repo to download the 7 packages from Comment 3, and updated them using MCC. There were no installation issues, so I am giving this an OK, and validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-01-17 15:10:12 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2020-1695
Source RPM: resteasy-3.0.26-1.mga8.src.rpm => resteasy-3.0.19-2.mga7.src.rpm
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-17 17:08:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED