Fedora has issued advisories on August 2: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html The security issue in cxf apparently also affects jacorb and wss4j. Mageia 3 is also affected and contains all of these packages. Mageia 2 only contains the jacorb package and may also be affected. The RedHat bug indicates the version of cxf where this is fixed, as well as contains a link to the upstream patch: https://bugzilla.redhat.com/show_bug.cgi?id=929197 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
done for mageia 3
are you sure mga2 is affected ? as we don't have xcf
As you can see, Fedora issued updates for jacorb and wss4j because of this as well, presumably because they have an embedded copy of cxf. Mageia 2 contains the jacorb package. I see you did update jacorb for Mageia 3, so please update it for Mageia 2 also if it is also affected. Also, I see Cauldron still hasn't been updated for these fixes. Packages built so far: cxf-2.6.9-1.mga3 cxf-javadoc-2.6.9-1.mga3 cxf-api-2.6.9-1.mga3 cxf-maven-plugins-2.6.9-1.mga3 cxf-rt-2.6.9-1.mga3 cxf-services-2.6.9-1.mga3 cxf-tools-2.6.9-1.mga3 jacorb-2.3.1-4.mga3 jacorb-javadoc-2.3.1-4.mga3 wss4j-1.6.10-1.mga3 wss4j-javadoc-1.6.10-1.mga3 from SRPMS: cxf-2.6.9-1.mga3.src.rpm jacorb-2.3.1-4.mga3.src.rpm wss4j-1.6.10-1.mga3.src.rpm
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL.
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
jacorb in Cauldron still needs the same update that Mageia 3 has in SVN. cxf and wss4j in Cauldron have now been fixed in: cxf-2.7.5-2.mga4 wss4j-1.6.10-3.mga4
Fixed now in cauldron for jacorb
Thanks D Morgan. jacorb fixed in jacorb-2.3.1-5.mga4.
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
Note to QA, verifying that these install should be sufficient. Advisory: ======================== Updated cxf, wss4j, and jacorb packages fix security vulnerability: Multiple denial of service flaws were found in the way StAX parser implementation of Apache CXF, an open-source web services framework, performed processing of certain XML files. If a web service application utilized the services of the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed by the application would lead to excessive system resources (CPU cycles, memory) consumption by that application (CVE-2013-2160). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2160 http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301037 https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html ======================== Updated packages in core/updates_testing: ======================== cxf-2.6.9-1.mga3 cxf-javadoc-2.6.9-1.mga3 cxf-api-2.6.9-1.mga3 cxf-maven-plugins-2.6.9-1.mga3 cxf-rt-2.6.9-1.mga3 cxf-services-2.6.9-1.mga3 cxf-tools-2.6.9-1.mga3 jacorb-2.3.1-4.mga3 jacorb-javadoc-2.3.1-4.mga3 wss4j-1.6.10-1.mga3 wss4j-javadoc-1.6.10-1.mga3 from SRPMS: cxf-2.6.9-1.mga3.src.rpm jacorb-2.3.1-4.mga3.src.rpm wss4j-1.6.10-1.mga3.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
As per comment 8, just testing that the packages install cleanly. Testing complete on Mageia 3 i586 and x86_64, and advisory uploaded to svn. Someone from the sysadmin team please push 10986.adv to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => advisory MGA3-64-OK MGA3-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0001.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED