Bug 28440

Summary: xmlgraphics-commons new security issue CVE-2020-11988
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: xmlgraphics-commons-2.3-2.mga8.src.rpm CVE: CVE-2020-11988
Status comment:

Description David Walser 2021-02-25 21:29:45 CET 
Apache has issued an advisory on February 24:
https://www.openwall.com/lists/oss-security/2021/02/24/1

The issue is fixed upstream in 2.6.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-25 21:30:01 CET

Status comment: (none) => Fixed upstream in 2.6
Assignee: bugsquad => java
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Lécureuil 2021-02-28 19:22:51 CET 
fixed  packages for mga7/8:

src:
    - xmlgraphics-commons-2.6-1.mga7
    - xmlgraphics-commons-2.6-1.mga8

CC: (none) => mageia
Assignee: java => qa-bugs

Aurelien Oudelet 2021-02-28 22:43:36 CET

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-11988
Status comment: Fixed upstream in 2.6 => (none)

Comment 2 David Walser 2021-03-01 17:45:46 CET 
Package list:
xmlgraphics-commons-2.6-1.mga7
xmlgraphics-commons-javadoc-2.6-1.mga7
xmlgraphics-commons-2.6-1.mga8
xmlgraphics-commons-javadoc-2.6-1.mga8
Comment 3 David Walser 2021-03-03 01:33:29 CET 
Advisory:
========================

Updated xmlgraphics-commons packages fix security vulnerability:

The Apache XML Graphics Commons library is vulnerable to SSRF via the XMPParser
that allow an attacker to cause the underlying server to make arbitrary GET
requests (CVE-2020-11988).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
https://www.openwall.com/lists/oss-security/2021/02/24/1
http://xmlgraphics.apache.org/security.html
Comment 4 Herman Viaene 2021-03-08 16:06:21 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Searched for some easy example, but none to my liking. This is java developer stuff.
OK on clean install??

CC: (none) => herman.viaene

Comment 5 David Walser 2021-03-08 16:07:55 CET 
Yes, install and update from the existing packages, as usual.
Herman Viaene 2021-03-08 16:23:00 CET

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 6 Aurelien Oudelet 2021-03-17 18:26:01 CET 
MGA8-64 Plasma
No installation issue on existing version.

Looks OK.
Validating
Advisory pushed to SVN.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Mageia Robot 2021-03-18 10:57:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2021-05-29 20:29:39 CEST 
Fedora has issued an advisory for this on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/