Fedora has issued an advisory on July 14: https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html The issue is fixed upstream in 2.2.2. There are also patches available from Fedora. Patch for 2.2.1 (version in Cauldron): http://pkgs.fedoraproject.org/cgit/openjpa.git/tree/openjpa-CVE-2013-1768.patch?h=f19&id=2264b233a2441c6aed901a11499955b42ed46806 Patch for 2.2.0 (version in Mageia 3): http://pkgs.fedoraproject.org/cgit/openjpa.git/tree/openjpa-2.2.0-CVE-2013-1768.patch?h=f18&id=0088d052b69f5b36b2af335469c3dd7fe07845f3 No patch available for 2.0.0 (version in Mageia 2). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Fixed in Cauldron in openjpa-2.2.1-3.mga4. Patched package uploaded for Mageia 3, openjpa-2.2.0-3.1.mga3, which provides: openjpa-2.2.0-3.1.mga3 openjpa-tools-2.2.0-3.1.mga3 openjpa-javadoc-2.2.0-3.1.mga3 I found an upstream patch for 2.0.0 for Mageia 2 linked from here: http://seclists.org/fulldisclosure/2013/Jun/98 I added it in SVN, but it fails to build with this patch: http://pkgsubmit.mageia.org/uploads/failure/2/core/updates_testing/20130822211956.luigiwalser.valstar.387/log/openjpa-2.0.0-1.1.mga2/build.0.20130822212005.log
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
I don't know if it's important, but the patches to 2.2.0 and 2.2.1 have a change to openjpa-slice/src/main/java/org/apache/openjpa/slice/jdbc/DistributedJDBCConfigurationImpl.java that isn't in the patch for 2.0.0 (the rest of the patches are the same): @@ -260,7 +260,7 @@ public QueryTargetPolicy getQueryTargetPolicyInstance() { if (queryTargetPolicyPlugin.get() == null) { - queryTargetPolicyPlugin.instantiate(ReplicationPolicy.class, + queryTargetPolicyPlugin.instantiate(QueryTargetPolicy.class, this, true); } return (QueryTargetPolicy) queryTargetPolicyPlugin.get(); I don't think that's the cause of the build error though, that looks like maybe a missing BuildRequires.
built OK, ready for QA
Assignee: dmorganec => security
Thanks D Morgan! Advisory: ======================== Updated openjpa packages fix security vulnerability: The BrokerFactory functionality in Apache OpenJPA before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs (CVE-2013-1768). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html ======================== Updated packages in core/updates_testing: ======================== openjpa-2.0.0-1.1.mga2 openjpa-javadoc-2.0.0-1.1.mga2 openjpa-2.2.0-3.1.mga3 openjpa-tools-2.2.0-3.1.mga3 openjpa-javadoc-2.2.0-3.1.mga3 from SRPMS: openjpa-2.0.0-1.1.mga2.src.rpm openjpa-2.2.0-3.1.mga3.src.rpm
CC: (none) => dmorganecAssignee: security => qa-bugs
No PoC and requires java programming knowledge to test. Ensuring it updates without issues should be enough in this case.
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga3 32 & 64
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 32 & 64
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
Validating. Advisory 10817.adv uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0292.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED