Bug 28681

Summary: velocity new security issue CVE-2020-13936
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: velocity-1.7-33.mga8.src.rpm CVE: CVE-2020-13936
Status comment:

Description David Walser 2021-03-30 23:22:03 CEST 
Apache has issued an advisory on March 9:
https://www.openwall.com/lists/oss-security/2021/03/10/1

The issue is fixed upstream in 2.3.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-03-30 23:22:16 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 2.3

Comment 1 Nicolas Lécureuil 2021-04-03 00:16:13 CEST 
fixed in cauldron.

Patch added in mga7/8:

   src:
    - velocity-1.7-22.1.mga7
    - velocity-1.7-33.1.mga8

Status comment: Fixed upstream in 2.3 => (none)
Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: java => qa-bugs

Comment 2 David Walser 2021-04-04 17:47:29 CEST 
Advisory:
========================

Updated velocity packages fix security vulnerability:

An attacker that is able to modify Velocity templates may execute arbitrary
Java code or run arbitrary system commands with the same privileges as the
account running the Servlet container.  This applies to applications that allow
untrusted users to upload/modify velocity templates running Apache Velocity
Engine versions up to 2.2 (CVE-2020-13936).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936
https://www.openwall.com/lists/oss-security/2021/03/10/1
========================

Updated packages in core/updates_testing:
========================
velocity-1.7-22.1.mga7
velocity-manual-1.7-22.1.mga7
velocity-javadoc-1.7-22.1.mga7
velocity-demo-1.7-22.1.mga7
velocity-1.7-33.1.mga8
velocity-demo-1.7-33.1.mga8
velocity-javadoc-1.7-33.1.mga8
velocity-manual-1.7-33.1.mga8

from SRPMS:
velocity-1.7-22.1.mga7.src.rpm
velocity-1.7-33.1.mga8.src.rpm
Comment 3 Thomas Andrews 2021-04-08 01:02:48 CEST 
Installed the four velocity rpms and two dependencies in vbox mga7 and mga8 guests, then updated them. No installation issues.

Looked for a past update, found nothing. Read some of the manual, but soon got very lost, as I know nothing of using java. Tried a couple of the elementary scripts from velocity-demo that were supposed to be pre-compiled, but they threw errors obviously caused by my lack of basic relevant skills.

So, I'm going to pass this along with a clean install for both mga7 and mga8.

Validating. Advisory in Comment 2.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-04-12 16:24:26 CEST

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-13936
Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-04-12 22:02:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2021-05-28 00:30:17 CEST 
Debian-LTS has issued an advisory for this on March 17:
https://www.debian.org/lts/security/2021/dla-2595