OpenSuSE has issued an advisory today (June 20): http://lists.opensuse.org/opensuse-updates/2014-06/msg00043.html The issue is fixed upstream in 1.3.2. Since we have version 1.3.2 in Mageia 3, Mageia 4, and Cauldron, it may be easier to update it. Otherwise, OpenSuSE's patch for 0.9.5 may be adaptable. I haven't found any reference to the upstream commit. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
URL: (none) => http://lwn.net/Vulnerabilities/603009/
(In reply to David Walser from comment #0) > The issue is fixed upstream in 1.3.2. Whoops, I meant 1.3.3. The patch OpenSuSE added for 0.9.5 doesn't look forward-portable to 1.3.2. Fedora has yet to address this issue, so I guess we'll wait for them.
Ping..
CC: (none) => mageia
Fedora has finally updated to 1.3.3 to fix this: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146246.html
Blocks: (none) => 14674
Removing Mageia 3 from the whiteboard due to EOL. I've checked the update into Mageia 4 and Cauldron SVN. It needs to be submitted (and hopefully it can be built).
CC: (none) => pterjanWhiteboard: MGA4TOO, MGA3TOO => MGA4TOO
It looks like it needs some of the removed packages (in Cauldron) to build; at least apache-poi that I noticed. That'll need to resynced with Fedora before it's re-imported to fix the issues in Bug 14128.
apache-poi has indeed been resynced with Fedora in SVN. Sophie says it isn't in Cauldron, but I tried to submit it to Cauldron and mgarepo/youri says that it's already there.
Things are still in progress restoring things in cauldron but it should be there. I hope to finish to building eclipse-* in the next few hours (almost there) then I'll have a look.
Updated packages uploaded for Mageia 4 and Cauldron. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated castor packages fix security vulnerability: The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document (CVE-2014-3004). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3004 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146246.html ======================== Updated package in core/updates_testing: ======================== castor-1.3.3-1.mga4 castor-javadoc-1.3.3-1.mga4 from castor-1.3.3-1.mga4.src.rpm
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4Assignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).
Whiteboard: (none) => MGA4-64-OKCC: (none) => herman.viaene
MGA4-32 on Acer D620 Xfce Version castor-1.3.3-1.mga4 installs without problems pver existing version 1.3.2, castor-javadoc-1.3.3-1.mga4 also OK (did not exist before).
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0556.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Blocks: 14674 => (none)