| Summary: | plexus-archiver new security issue CVE-2012-2098 (was for apache-commons-compress) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | dmorganec, rverschelde, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/500176/ | ||
| Whiteboard: | has_procedure mga3-64-ok mga3-32-ok advisory | ||
| Source RPM: | plexus-archiver | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-06-04 22:13:37 CEST
David Walser
2012-06-04 22:13:43 CEST
CC:
(none) =>
dmorganec Changing the version assignments for the new policy. Just so it's still clear, Cauldron, Mageia 2, and Mageia 1 are all affected. Version:
1 =>
Cauldron cauldron is Fixed new ant is part of this update too see: http://mail-archives.apache.org/mod_mbox/www-announce/201205.mbox/%3C87ipfnvvxr.fsf@v35516.1blu.de%3E pushed on mga2 ( ant and apache-commons-compress ) ant is pushed on mga1 Built so far: xz-java-1.0-0.1.mga2.noarch.rpm xz-java-javadoc-1.0-0.1.mga2.noarch.rpm ant-1.8.4-0.2.mga2.noarch.rpm ant-jmf-1.8.4-0.2.mga2.noarch.rpm ant-swing-1.8.4-0.2.mga2.noarch.rpm ant-antlr-1.8.4-0.2.mga2.noarch.rpm ant-apache-bsf-1.8.4-0.2.mga2.noarch.rpm ant-apache-resolver-1.8.4-0.2.mga2.noarch.rpm ant-commons-logging-1.8.4-0.2.mga2.noarch.rpm ant-commons-net-1.8.4-0.2.mga2.noarch.rpm ant-apache-bcel-1.8.4-0.2.mga2.noarch.rpm ant-apache-log4j-1.8.4-0.2.mga2.noarch.rpm ant-apache-oro-1.8.4-0.2.mga2.noarch.rpm ant-apache-regexp-1.8.4-0.2.mga2.noarch.rpm ant-apache-xalan2-1.8.4-0.2.mga2.noarch.rpm ant-javamail-1.8.4-0.2.mga2.noarch.rpm ant-jdepend-1.8.4-0.2.mga2.noarch.rpm ant-jsch-1.8.4-0.2.mga2.noarch.rpm ant-junit-1.8.4-0.2.mga2.noarch.rpm ant-testutil-1.8.4-0.2.mga2.noarch.rpm ant-scripts-1.8.4-0.2.mga2.noarch.rpm ant-manual-1.8.4-0.2.mga2.noarch.rpm ant-javadoc-1.8.4-0.2.mga2.noarch.rpm apache-commons-compress-1.4.1-0.1.mga2.noarch.rpm apache-commons-compress-javadoc-1.4.1-0.1.mga2.noarch.rpm from SRPMS: xz-java-1.0-0.1.mga2.src.rpm ant-1.8.4-0.2.mga2.src.rpm apache-commons-compress-1.4.1-0.1.mga2.src.rpm Still pending: Updates for Mageia 1 (including ant, which failed to build) Version:
Cauldron =>
2 Also still possibly needed: Updates for apache-commons-compress10 if it is also affected by this issue. there is a pb in mga2, all the ant are not available. (In reply to comment #7) > there is a pb in mga2, all the ant are not available. Indeed. This is the same thing that happened to the firefox-l10n package in Mageia 2 updates_testing in the initial attempt to build the update for 10.0.5. Is iurt only eating packages in Mageia 2 updates_testing? CC:
(none) =>
sysadmin-bugs fixed now for ant in mga2 (In reply to comment #9) > fixed now for ant in mga2 Thanks. Subrel was bumped, so I'll provide a new package list. Hopefully none get eaten. xz-java-1.0-0.1.mga2.noarch.rpm xz-java-javadoc-1.0-0.1.mga2.noarch.rpm ant-1.8.4-0.3.mga2.noarch.rpm ant-jmf-1.8.4-0.3.mga2.noarch.rpm ant-swing-1.8.4-0.3.mga2.noarch.rpm ant-antlr-1.8.4-0.3.mga2.noarch.rpm ant-apache-bsf-1.8.4-0.3.mga2.noarch.rpm ant-apache-resolver-1.8.4-0.3.mga2.noarch.rpm ant-commons-logging-1.8.4-0.3.mga2.noarch.rpm ant-commons-net-1.8.4-0.3.mga2.noarch.rpm ant-apache-bcel-1.8.4-0.3.mga2.noarch.rpm ant-apache-log4j-1.8.4-0.3.mga2.noarch.rpm ant-apache-oro-1.8.4-0.3.mga2.noarch.rpm ant-apache-regexp-1.8.4-0.3.mga2.noarch.rpm ant-apache-xalan2-1.8.4-0.3.mga2.noarch.rpm ant-javamail-1.8.4-0.3.mga2.noarch.rpm ant-jdepend-1.8.4-0.3.mga2.noarch.rpm ant-jsch-1.8.4-0.3.mga2.noarch.rpm ant-junit-1.8.4-0.3.mga2.noarch.rpm ant-testutil-1.8.4-0.3.mga2.noarch.rpm ant-scripts-1.8.4-0.3.mga2.noarch.rpm ant-manual-1.8.4-0.3.mga2.noarch.rpm ant-javadoc-1.8.4-0.3.mga2.noarch.rpm apache-commons-compress-1.4.1-0.1.mga2.noarch.rpm apache-commons-compress-javadoc-1.4.1-0.1.mga2.noarch.rpm from SRPMS: xz-java-1.0-0.1.mga2.src.rpm ant-1.8.4-0.3.mga2.src.rpm apache-commons-compress-1.4.1-0.1.mga2.src.rpm Still pending: Updates for Mageia 1 D Morgan, is apache-commons-compress10 affected by this? Removing Mageia 1 from the whiteboard due to EOL. Fedora has issued more advisories for this, as it also affects plexus-archiver. http://lwn.net/Alerts/550441/ Version:
2 =>
Cauldron (In reply to David Walser from comment #12) > Fedora has issued more advisories for this, as it also affects > plexus-archiver. http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html
David Walser
2013-08-27 16:52:32 CEST
Assignee:
bugsquad =>
dmorganec Shame that we never issued this update for Mageia 2 (EOL now). This still needs to be looked into for plexus-archiver for Mageia 3 and Cauldron. Summary:
apache-commons-compress new security issue CVE-2012-2098 =>
plexus-archiver new security issue CVE-2012-2098 (was for apache-commons-compress)
David Walser
2013-11-21 23:05:17 CET
Blocks:
(none) =>
11726 I believe this is fixed in plexus-archiver 2.3, so Cauldron should be fine now (has 2.4.2), but Mageia 3 needs an update. Version:
Cauldron =>
3 Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated plexus-archiver packages fix security vulnerability: Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs (CVE-2012-2098). plexus-archiver used an embedded copy of the affected code from Apache Commons Compress, and therefore was affected by this. It has been patched to use the apache-commons-compress package, in which this issue has already been fixed, for bzip2 compression and decompression. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html ======================== Updated packages in core/updates_testing: ======================== plexus-archiver-2.3-1.mga3 plexus-archiver-javadoc-2.3-1.mga3 from plexus-archiver-2.3-1.mga3.src.rpm Assignee:
dmorganec =>
qa-bugs The epoch has been reset so it is not being seen as an update. not selecting plexus-archiver-2.3-1.mga3.noarch since the more recent plexus-archiver-2.2-3.mga3.noarch is installed http://svnweb.mageia.org/packages/updates/3/plexus-archiver/current/SPECS/plexus-archiver.spec?r1=418302&r2=564228 Whiteboard:
(none) =>
feedback Epoch was added back in cauldron in september. Thanks. I've fixed the epoch and it's rebuilding now. The updated packages should otherwise have the same name, version, and release.
David Walser
2014-01-06 17:44:27 CET
Whiteboard:
feedback =>
(none)
claire robinson
2014-01-06 17:45:08 CET
Whiteboard:
(none) =>
feedback
David Walser
2014-01-06 17:45:48 CET
Whiteboard:
feedback =>
(none) Sorry, that was fast :) The packages are missing in x86_64 media (there's a SRPM but no RPM). Maybe something funny happened when submitted new packages with same version and new Epoch. I'd advise increasing subrel before submitting again. CC:
(none) =>
stormi Rebuild submitted. Updated packages in core/updates_testing: ======================== plexus-archiver-2.3-1.1.mga3 plexus-archiver-javadoc-2.3-1.1.mga3 from plexus-archiver-2.3-1.1.mga3.src.rpm Whiteboard:
feedback =>
(none) As with most java stuff, just ensuring it updates cleanly. It adds alot of new dependencies but does update ok. Mga3 64 ok Whiteboard:
(none) =>
has_procedure mga3-64-ok testing complete mga3 32 Whiteboard:
has_procedure mga3-64-ok =>
has_procedure mga3-64-ok mga3-32-ok Validating update. Advisory upload, could a sysadmin push to core/updates for Mageia 3? Thanks! Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0056.html Status:
NEW =>
RESOLVED |