Fedora has issued an advisory on September 9:
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
Dropped from cauldron.
MGA4TOO, MGA3TOO =>
Probably on its way back to Cauldron, but it has been re-synced with Fedora 21 in Cauldron SVN, updating it to 3.10.1 and fixing this.
Update synced with Fedora 20 checked into Mageia 4 SVN.
Updated package uploaded for Mageia 4.
Verifying that the updated packages install cleanly is sufficient for testing this update.
Updated apache-poi packages fixes security vulnerability:
It was found that Apache POI would resolve entities in OOXML documents. A
remote attacker able to supply OOXML documents that are parsed by Apache POI
could use this flaw to read files accessible to the user running the
application server, and potentially perform other more advanced XXE attacks
It was found that Apache POI would expand an unlimited number of entities in
OOXML documents. A remote attacker able to supply OOXML documents that are
parsed by Apache POI could use this flaw to trigger a denial of service
attack via excessive CPU and memory consumption (CVE-2014-3574).
Updated package in core/updates_testing:
MGA4-64 on HP Probook 6555b KDE.
Found out that the apache-poi-3.10.1-1.mga4 was already installed (most probably from testing bug 13870 - resteasy), so the javadoc and manual were installed now. No issues.
MGA4-32 on Acer D620 Xfce.
Same remark as above, no installation issues.
Validating. Advisory uploaded.
Please push to updates
MGA4-32-OK MGA4-64-OK =>
advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository.