Bug 13104 - xalan-j2 new security issue CVE-2014-0107
Summary: xalan-j2 new security issue CVE-2014-0107
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/592272/
Whiteboard: MGA3TOO advisory mga3-32-ok mga3-64-o...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-27 18:23 CET by David Walser
Modified: 2014-04-03 02:51 CEST (History)
3 users (show)

See Also:
Source RPM: xalan-j2-2.7.1-5.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-27 18:23:51 CET
Debian has issued an advisory on March 26:
http://www.debian.org/security/2014/dsa-2886

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-27 18:24:02 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-04-01 00:09:25 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: just testing that these install should be sufficient.

Advisory:
========================

Updated xalan-j2 packages fix security vulnerability:

Nicolas Gregoire discovered several vulnerabilities in libxalan2-java.
Crafted XSLT programs could access system properties or load arbitrary
classes, resulting in information disclosure and, potentially, arbitrary
code execution (CVE-2014-0107).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
https://www.debian.org/security/2014/dsa-2886
========================

Updated packages in core/updates_testing:
========================
xalan-j2-2.7.1-5.1.mga3
xalan-j2-xsltc-2.7.1-5.1.mga3
xalan-j2-manual-2.7.1-5.1.mga3
xalan-j2-javadoc-2.7.1-5.1.mga3
xalan-j2-demo-2.7.1-5.1.mga3
xalan-j2-2.7.1-6.1.mga4
xalan-j2-xsltc-2.7.1-6.1.mga4
xalan-j2-manual-2.7.1-6.1.mga4
xalan-j2-javadoc-2.7.1-6.1.mga4
xalan-j2-demo-2.7.1-6.1.mga4

from SRPMS:
xalan-j2-2.7.1-5.1.mga3.src.rpm
xalan-j2-2.7.1-6.1.mga4.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-04-01 17:30:43 CEST
Testing complete mga3 32 & 64

As with most java stuff, just checking the update installs cleanly, which it does.

Whiteboard: MGA3TOO => MGA3TOO mga3-32-ok mga3-64-ok

Comment 3 claire robinson 2014-04-01 17:33:05 CEST
Testing complete mga4 32 & 64

Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 4 claire robinson 2014-04-01 17:37:26 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

David Walser 2014-04-02 19:03:28 CEST

Severity: normal => critical

Comment 5 Damien Lallement 2014-04-03 02:51:19 CEST
http://advisories.mageia.org/MGASA-2014-0152.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.