Bug 30044

Summary: xstream new security issues CVE-2021-43859, CVE-2022-40151, and CVE-2022-41966
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: xstream-1.4.18-1.mga9.src.rpm CVE:
Status comment: Fixed upstream in 1.4.20

Description David Walser 2022-02-13 18:48:13 CET 
Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/

The issue is fixed upstream in 1.4.19.

Mageia 8 is also affected.
David Walser 2022-02-13 18:48:28 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.4.19

Comment 1 David Walser 2022-02-16 15:13:44 CET 
Debian-LTS has issued an advisory for this on February 15:
https://www.debian.org/lts/security/2022/dla-2924
Comment 2 David Walser 2022-03-15 20:07:07 CET 
openSUSE has issued an advisory for this on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BZZMZMEXJXNF2NQNIXETAFBVRAZVIVSO/
Comment 3 David Walser 2023-01-17 18:29:34 CET 
Upstream advisory for the original issue:
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf

Debian has issued an advisory on January 11:
https://www.debian.org/security/2023/dsa-5315

The issue is fixed upstream in 1.4.20:
https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv

Mageia 8 is also affected.

Status comment: Fixed upstream in 1.4.19 => Fixed upstream in 1.4.20
Summary: xstream new security issue CVE-2021-43859 => xstream new security issue CVE-2021-43859 and CVE-2022-41966

David Walser 2023-01-17 18:29:51 CET

Summary: xstream new security issue CVE-2021-43859 and CVE-2022-41966 => xstream new security issues CVE-2021-43859 and CVE-2022-41966

Comment 4 David Walser 2023-03-13 19:14:47 CET 
Ubuntu has issued an advisory for CVE-2022-41966 today (March 13):
https://ubuntu.com/security/notices/USN-5946-1
Comment 5 David GEIGER 2023-03-14 06:34:00 CET 
Done for Cauldron, freeze_move requested!

CC: (none) => geiger.david68210

Comment 6 David Walser 2023-03-18 17:31:26 CET 
xstream-1.4.20-1.mga9 moved.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2023-03-30 23:10:12 CEST 
Upstream advisory from December 24 for another issue fixed in 1.4.20:
https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm

Alternate advisory links for the newer CVEs:
https://x-stream.github.io/CVE-2022-40151.html
https://x-stream.github.io/CVE-2022-41966.html

SUSE has issued an advisory for this on March 29:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014243.html

Summary: xstream new security issues CVE-2021-43859 and CVE-2022-41966 => xstream new security issues CVE-2021-43859, CVE-2022-40151, and CVE-2022-41966

Comment 8 Nicolas Salguero 2024-01-12 09:38:42 CET 
Mageia 8 EOL

Resolution: (none) => OLD
Status: NEW => RESOLVED
CC: (none) => nicolas.salguero