Debian has issued an advisory on March 26: http://www.debian.org/security/2014/dsa-2886 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Note to QA: just testing that these install should be sufficient. Advisory: ======================== Updated xalan-j2 packages fix security vulnerability: Nicolas Gregoire discovered several vulnerabilities in libxalan2-java. Crafted XSLT programs could access system properties or load arbitrary classes, resulting in information disclosure and, potentially, arbitrary code execution (CVE-2014-0107). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107 https://www.debian.org/security/2014/dsa-2886 ======================== Updated packages in core/updates_testing: ======================== xalan-j2-2.7.1-5.1.mga3 xalan-j2-xsltc-2.7.1-5.1.mga3 xalan-j2-manual-2.7.1-5.1.mga3 xalan-j2-javadoc-2.7.1-5.1.mga3 xalan-j2-demo-2.7.1-5.1.mga3 xalan-j2-2.7.1-6.1.mga4 xalan-j2-xsltc-2.7.1-6.1.mga4 xalan-j2-manual-2.7.1-6.1.mga4 xalan-j2-javadoc-2.7.1-6.1.mga4 xalan-j2-demo-2.7.1-6.1.mga4 from SRPMS: xalan-j2-2.7.1-5.1.mga3.src.rpm xalan-j2-2.7.1-6.1.mga4.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing complete mga3 32 & 64 As with most java stuff, just checking the update installs cleanly, which it does.
Whiteboard: MGA3TOO => MGA3TOO mga3-32-ok mga3-64-ok
Testing complete mga4 32 & 64
Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Severity: normal => critical
http://advisories.mageia.org/MGASA-2014-0152.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED