Fedora has issued an advisory on February 12: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html The issue appears to be fixed upstream in 1.4.7. Fedora has a patch for 1.3.1 (which we have in Mageia 3): http://pkgs.fedoraproject.org/cgit/xstream.git/commit/?h=f20&id=7711271576d9b9d1c4345ddf10ce843a1a2841bb Upstream reference: http://xstream.codehaus.org/security.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
I added the patch for Mageia 3 in SVN. For Cauldron and Mageia 4, I synced the package with Fedora. It adds a new BuildRequires (kxml2-min) that requires the kxml package to be updated, which I also synced with Fedora in SVN to fix this. However, kxml does not build in Cauldron: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140224223117.luigiwalser.valstar.11244/log/kxml-2.3.0-6.mga5/build.0.20140224223203.log
D Morgan noticed a typo in my kxml commit, so things are building now.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Updated packages uploaded for Mageia 4 and Cauldron. Patched package uploaded for Mageia 3. Note to QA: verifying that the updated packages install correctly should be sufficient for testing this update. They're also noarch, so should only require testing on one arch. Advisory: ======================== Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application (CVE-2013-7285). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://xstream.codehaus.org/security.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html ======================== Updated packages in core/updates_testing: ======================== xstream-1.3.1-6.1.mga3 xstream-javadoc-1.3.1-6.1.mga3 kxml-2.3.0-5.1.mga4 kxml-javadoc-2.3.0-5.1.mga4 xstream-1.4.7-1.mga4 xstream-javadoc-1.4.7-1.mga4 from SRPMS: xstream-1.3.1-6.1.mga3.src.rpm kxml-2.3.0-5.1.mga4.src.rpm xstream-1.4.7-1.mga4.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
Testing complete mga3 32 & 64 Just ensuring the packages update cleanly.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete on mageia 4 32 and 64
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Update validated. Thanks. Advisory: Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application (CVE-2013-7285). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://xstream.codehaus.org/security.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128807.html SRPM: xstream-1.3.1-6.1.mga3.src.rpm kxml-2.3.0-5.1.mga4.src.rpm xstream-1.4.7-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates for both mageia 3 and 4? Thank you!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded.
Update pushed: http://advisories.mageia.org/MGASA-2014-0100.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED