Bug 28924

Summary: maven new security issue CVE-2021-26291
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: maven-3.8.5-2.mga9.src.rpm CVE:
Status comment: Fixed upstream in 3.8.1

Description David Walser 2021-05-15 00:10:04 CEST 
Apache has issued an advisory on April 23:
https://www.openwall.com/lists/oss-security/2021/04/23/5

The issue will be fixed upstream in 3.8.1.
Comment 1 David Walser 2023-01-17 19:09:50 CET 
Ubuntu has issued an advisory for this on Janaury 16:
https://ubuntu.com/security/notices/USN-5805-1

Severity: normal => major
Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2023-05-09 17:39:01 CEST 
SUSE has issued an advisory on May 8:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014769.html

It sounds like maven bundled logback, which had the issue, and maven 3.8.6 updates it with the fix.

CVE-2021-26291 has been fixed in Cauldron with the update to 3.8.5, but Mageia 8 is still affected.

Summary: maven new security issue CVE-2021-26291 => maven new security issues CVE-2021-26291 and CVE-2021-42550
Source RPM: maven-3.6.3-9.mga9.src.rpm => maven-3.8.5-2.mga9.src.rpm
Status comment: (none) => Fixed upstream in 3.8.6

Comment 3 David GEIGER 2023-07-02 08:56:04 CEST 
logback is actually optional dependency in maven source code and not a bundled one. And we don't build maven with logback as we don't have it.

https://github.com/apache/maven/commit/6189b4810f726e29798fd76c27724e632c465318

So for me it is fixed for cauldron!

CC: (none) => geiger.david68210

Comment 4 David Walser 2023-07-02 14:40:07 CEST 
Ok, so CVE-2021-42550 is INVALID for us, CVE-2021-26291 remains for Mageia 8.

Summary: maven new security issues CVE-2021-26291 and CVE-2021-42550 => maven new security issue CVE-2021-26291
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 3.8.6 => Fixed upstream in 3.8.1

Comment 5 David GEIGER 2023-07-02 18:20:35 CEST 
Assigning to QA,

Packages in 8/Core/Updates_testing:
======================
maven-javadoc-3.6.3-8.1.mga8.noarch.rpm
maven-lib-3.6.3-8.1.mga8.noarch.rpm
maven-3.6.3-8.1.mga8.noarch.rpm

From SRPMS:
maven-3.6.3-8.1.mga8.src.rpm

Assignee: java => qa-bugs

Comment 6 Herman Viaene 2023-07-09 12:16:53 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation  issues.
No wiki, no previous update, tried to follow https://maven.apache.org/guides/getting-started/maven-in-five-minutes.html, so
$ mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=testmaven -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=false
results in a long list of downloads and at the end:
----------------------------------------------------------------------------
[INFO] Using following parameters for creating project from Archetype: maven-archetype-quickstart:1.4
[INFO] ----------------------------------------------------------------------------
[INFO] Parameter: groupId, Value: com.mycompany.app
[INFO] Parameter: artifactId, Value: testmaven
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] Parameter: package, Value: com.mycompany.app
[INFO] Parameter: packageInPathFormat, Value: com/mycompany/app
[INFO] Parameter: package, Value: com.mycompany.app
[INFO] Parameter: groupId, Value: com.mycompany.app
[INFO] Parameter: artifactId, Value: testmaven
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] Project created from Archetype in dir: /home/tester8/Documents/testmaven
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  58.029 s
[INFO] Finished at: 2023-07-09T12:06:57+02:00
[INFO] ------------------------------------------------------------------------
continuing ......

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2023-07-09 13:59:34 CEST 
$ cd testmaven/
$ mvn package
loads of feedback and at the end
[INFO] Building jar: /home/tester8/Documents/testmaven/target/testmaven-1.0-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  50.664 s
[INFO] Finished at: 2023-07-09T12:17:13+02:00
[INFO] ------------------------------------------------------------------------$ $ java -cp target/testmaven-1.0-SNAPSHOT.jar com.mycompany.app.App
Hello World!
And I forgot the easy stuff
$ mvn --version
Apache Maven 3.6.3 (Mageia 3.6.3-8.1)
Maven home: /usr/share/maven
Java version: 11.0.18, vendor: Mageia, runtime: /usr/lib/jvm/java-11-openjdk-11.0.18.0.10-1.mga8.x86_64
Default locale: en_BE, platform encoding: UTF-8
OS name: "linux", version: "5.15.117-server-2.mga8", arch: "amd64", family: "unix"
All this is inline with the tutorial, so OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2023-07-10 14:08:45 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-07-13 19:26:34 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2023-07-19 21:54:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0230.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED