Bug 10986 - cxf new security issue CVE-2013-2160
Summary: cxf new security issue CVE-2013-2160
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/563134/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-08-12 20:00 CEST by David Walser
Modified: 2014-01-06 02:34 CET (History)
4 users (show)

See Also:
Source RPM: cxf-2.6.3-5.mga3.src.rpm, jacorb-2.3.1-3.20120215git.2.mga3.src.rpm, wss4j-1.6.7-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-12 20:00:25 CEST
Fedora has issued advisories on August 2:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html

The security issue in cxf apparently also affects jacorb and wss4j.

Mageia 3 is also affected and contains all of these packages.

Mageia 2 only contains the jacorb package and may also be affected.

The RedHat bug indicates the version of cxf where this is fixed, as well as contains a link to the upstream patch:
https://bugzilla.redhat.com/show_bug.cgi?id=929197

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-12 20:00:35 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 D Morgan 2013-09-30 10:39:27 CEST
done for mageia 3
Comment 2 D Morgan 2013-09-30 10:40:16 CEST
are you sure mga2 is affected ? as we don't have xcf
Comment 3 David Walser 2013-10-01 00:28:28 CEST
As you can see, Fedora issued updates for jacorb and wss4j because of this as well, presumably because they have an embedded copy of cxf.  Mageia 2 contains the jacorb package.  I see you did update jacorb for Mageia 3, so please update it for Mageia 2 also if it is also affected.  Also, I see Cauldron still hasn't been updated for these fixes.

Packages built so far:
cxf-2.6.9-1.mga3
cxf-javadoc-2.6.9-1.mga3
cxf-api-2.6.9-1.mga3
cxf-maven-plugins-2.6.9-1.mga3
cxf-rt-2.6.9-1.mga3
cxf-services-2.6.9-1.mga3
cxf-tools-2.6.9-1.mga3
jacorb-2.3.1-4.mga3
jacorb-javadoc-2.3.1-4.mga3
wss4j-1.6.10-1.mga3
wss4j-javadoc-1.6.10-1.mga3

from SRPMS:
cxf-2.6.9-1.mga3.src.rpm
jacorb-2.3.1-4.mga3.src.rpm
wss4j-1.6.10-1.mga3.src.rpm
David Walser 2013-11-21 23:05:17 CET

Blocks: (none) => 11726

Comment 4 David Walser 2013-11-22 16:10:15 CET
Removing Mageia 2 from the whiteboard due to EOL.

Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO

Comment 5 David Walser 2014-01-03 03:22:11 CET
jacorb in Cauldron still needs the same update that Mageia 3 has in SVN.  cxf and wss4j in Cauldron have now been fixed in:
cxf-2.7.5-2.mga4
wss4j-1.6.10-3.mga4
Comment 6 D Morgan 2014-01-03 11:24:44 CET
Fixed now in cauldron for jacorb
Comment 7 David Walser 2014-01-03 11:49:26 CET
Thanks D Morgan.  jacorb fixed in jacorb-2.3.1-5.mga4.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 8 David Walser 2014-01-03 11:56:19 CET
Note to QA, verifying that these install should be sufficient.

Advisory:
========================

Updated cxf, wss4j, and jacorb packages fix security vulnerability:

Multiple denial of service flaws were found in the way StAX parser
implementation of Apache CXF, an open-source web services framework,
performed processing of certain XML files. If a web service application
utilized the services of the StAX parser, a remote attacker could provide
a specially-crafted XML file that, when processed by the application would
lead to excessive system resources (CPU cycles, memory) consumption by
that application (CVE-2013-2160).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2160
http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301037
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html
========================

Updated packages in core/updates_testing:
========================
cxf-2.6.9-1.mga3
cxf-javadoc-2.6.9-1.mga3
cxf-api-2.6.9-1.mga3
cxf-maven-plugins-2.6.9-1.mga3
cxf-rt-2.6.9-1.mga3
cxf-services-2.6.9-1.mga3
cxf-tools-2.6.9-1.mga3
jacorb-2.3.1-4.mga3
jacorb-javadoc-2.3.1-4.mga3
wss4j-1.6.10-1.mga3
wss4j-javadoc-1.6.10-1.mga3

from SRPMS:
cxf-2.6.9-1.mga3.src.rpm
jacorb-2.3.1-4.mga3.src.rpm
wss4j-1.6.10-1.mga3.src.rpm

CC: (none) => dmorganec
Assignee: dmorganec => qa-bugs

Comment 9 Dave Hodgins 2014-01-05 21:23:14 CET
As per comment 8, just testing that the packages install cleanly.

Testing complete on Mageia 3 i586 and x86_64, and advisory uploaded to svn.

Someone from the sysadmin team please push 10986.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Thomas Backlund 2014-01-06 02:34:01 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0001.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.