Bug 29187

Summary: jdom/jdom2 new security issue CVE-2021-33813
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: jdom-1.1.3-14.mga8.src.rpm, jdom2-2.0.6-10.mga8.src.rpm CVE: CVE-2021-33813
Status comment:

Description David Walser 2021-06-29 18:43:41 CEST 
Debian-LTS has issued an advisory today (June 29):
https://www.debian.org/lts/security/2021/dla-2696

Mageia 7 and Mageia 8 are also affected.

The jdom package may also be affected.
David Walser 2021-06-29 18:43:54 CEST

Status comment: (none) => Patch available from Debian
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 David Walser 2021-07-01 18:59:51 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 2 David Walser 2021-07-12 17:41:51 CEST 
openSUSE has issued an advisory for this today (July 12):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3W33THYYFJ4Y4WPUQN66D2YC35Q6ZTRU/
Comment 3 Nicolas Lécureuil 2021-07-19 00:45:09 CEST 
jdom2 fixed in cauldron.

CC: (none) => mageia

Comment 4 Nicolas Lécureuil 2021-07-19 00:53:47 CEST 
pushed in mga8: 

src:
    - jdom2-2.0.6-1O.1.mga8

now i will look if we need to patch jdom
Comment 5 David Walser 2021-07-19 00:57:39 CEST 
Did you notice that you used the letter O instead of a zero in the release tag?
Comment 6 Nicolas Lécureuil 2021-07-19 01:09:43 CEST 
not at all :-) i will fix this.

Thanks for showing me this error.
Comment 7 Nicolas Lécureuil 2021-07-19 01:15:14 CEST 
pushed in mga8: 

src:
    - jdom2-2.0.6-10.1.mga8

now i will look if we need to patch jdom
Comment 8 David Walser 2021-07-19 01:18:20 CEST 
jdom2-2.0.6-10.1.mga8
jdom2-javadoc-2.0.6-10.1.mga8
Comment 9 David Walser 2021-07-21 16:38:15 CEST 
Debian-LTS has issued an advisory for jdom (jdom1) on July 20:
https://www.debian.org/lts/security/2021/dla-2712

Summary: jdom2 new security issue CVE-2021-33813 => jdom/jdom2 new security issue CVE-2021-33813
Source RPM: jdom2-2.0.6-10.mga8.src.rpm => jdom-1.1.3-14.mga8.src.rpm, jdom2-2.0.6-10.mga8.src.rpm

Comment 10 Nicolas Lécureuil 2021-07-22 14:39:26 CEST 
jdom is now fixed in mga8/9:

src:
    - jdom-1.1.3-14.1.mga8

Assignee: java => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from Debian => (none)
Version: Cauldron => 8

Comment 11 David Walser 2021-07-22 17:25:49 CEST 
jdom-1.1.3-14.1.mga8
jdom-demo-1.1.3-14.1.mga8
jdom-javadoc-1.1.3-14.1.mga8

from jdom-1.1.3-14.1.mga8.src.rpm
Comment 12 Aurelien Oudelet 2021-07-23 10:49:57 CEST 
Advisory:
========================

Updated jdom/jdom2 packages fix a security vulnerability:

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request (CVE-2021-33813).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29187
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33813
 - https://www.debian.org/lts/security/2021/dla-2696
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3W33THYYFJ4Y4WPUQN66D2YC35Q6ZTRU/
 - https://www.debian.org/lts/security/2021/dla-2712
========================

Updated packages in core/updates_testing:
========================
jdom2-2.0.6-10.1.mga8
jdom2-javadoc-2.0.6-10.1.mga8

jdom-1.1.3-14.1.mga8
jdom-demo-1.1.3-14.1.mga8
jdom-javadoc-1.1.3-14.1.mga8

from SRPMs:
jdom2-2.0.6-10.1.mga8
jdom-1.1.3-14.1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 13 Herman Viaene 2021-07-27 15:11:34 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
As all java and developers stuff OK on clean install and no apparent ill effects on the system.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 14 Aurelien Oudelet 2021-07-27 21:02:54 CEST 
Validating.

CC: (none) => sysadmin-bugs
CVE: (none) => CVE-2021-33813
Keywords: (none) => advisory, validated_update

Comment 15 Mageia Robot 2021-07-27 22:23:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0381.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED