RedHat has issued an advisory on March 3: https://rhn.redhat.com/errata/RHSA-2014-0245.html It is not clear what any of the vulnerabilities listed have to do with the activemq package listed in the advisory. CVE-2013-4152 is for springframework, and we already fixed that one. CVE-2013-4330 and CVE-2013-0003 are for something called "Apache Camel" which I don't believe we have packaged and can't immediately see the relation to activemq. CVE-2013-2035 is for a Java class embedded in jansi, jline2, and jruby, all of which may require updates. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
It looks like the actual activemq issues are listed in this advisory from July 9, 2013: https://rhn.redhat.com/errata/RHSA-2013-1029.html It appears that they are fixed upstream in 5.8.0 and that they have not been addressed in Fedora either. If this package is unmaintained, it should be dropped (in both distros). As for jansi/jline2/jruby, it looks like the *binary* versions of those are affected as they bundle each other (jruby bundles jline2 which bundles jansi which bundles the affected hawtjni), but the source versions don't actually bundle the affected code. So, what we really have here is CVE-2013-2035 for hawtjni, which we do have packaged. It was fixed upstream in 1.8, so only Mageia 3 is affected.
Summary: jansi, jline2, jruby, activemq possible security vulnerabilities => hawtjni new security issue CVE-2013-2035 (plus activemq possible security vulnerabilities)Source RPM: (none) => hawtjni-1.6-1.mga3.src.rpm
Blocks: (none) => 14377
Blocks: 14377 => (none)
Updated package uploaded for Mageia 3. Advisory: ======================== Updated hawtjni package fixes security vulnerability: The HawtJNI Library class wrote native libraries to a predictable file name in /tmp/ when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed (CVE-2013-2035). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2035 https://rhn.redhat.com/errata/RHSA-2014-0245.html ======================== Updated packages in core/updates_testing: ======================== hawtjni-1.9-1.mga3 hawtjni-javadoc-1.9-1.mga3 maven-hawtjni-plugin-1.9-1.mga3 from hawtjni-1.9-1.mga3.src.rpm
Version: Cauldron => 3Assignee: dmorganec => qa-bugsSummary: hawtjni new security issue CVE-2013-2035 (plus activemq possible security vulnerabilities) => hawtjni new security issue CVE-2013-2035Whiteboard: MGA4TOO, MGA3TOO => (none)
Tested that the packages install cleanly, Mageia 3 i586.
Whiteboard: (none) => has_procedure MGA3-32-OK
On Mageia3-64 real HW Before update-testing : # rpm -q hawtjni hawtjni-javadoc maven-hawtjni-plugin hawtjni-1.6-1.mga3 hawtjni-javadoc-1.6-1.mga3 maven-hawtjni-plugin-1.6-1.mga3 After update-testing : # rpm -q hawtjni hawtjni-javadoc maven-hawtjni-plugin hawtjni-1.9-1.mga3 hawtjni-javadoc-1.9-1.mga3 maven-hawtjni-plugin-1.9-1.mga3 Installation OK
CC: (none) => olchalWhiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0461.html
Status: NEW => RESOLVEDResolution: (none) => FIXED