Bug 14128 - apache-poi new security issues CVE-2014-3529 and CVE-2014-3574
Summary: apache-poi new security issues CVE-2014-3529 and CVE-2014-3574
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/612578/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Reported: 2014-09-19 17:16 CEST by David Walser
Modified: 2014-12-26 18:05 CET (History)
3 users (show)

See Also:
Source RPM: apache-poi-3.9-2.mga4.src.rpm
Status comment:


Description David Walser 2014-09-19 17:16:31 CEST
Fedora has issued an advisory on September 9:

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
David Walser 2014-09-19 17:16:37 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:05:34 CET
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:43:34 CET
Probably on its way back to Cauldron, but it has been re-synced with Fedora 21 in Cauldron SVN, updating it to 3.10.1 and fixing this.

Update synced with Fedora 20 checked into Mageia 4 SVN.
Comment 3 David Walser 2014-12-24 23:43:32 CET
Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.


Updated apache-poi packages fixes security vulnerability:

It was found that Apache POI would resolve entities in OOXML documents. A
remote attacker able to supply OOXML documents that are parsed by Apache POI
could use this flaw to read files accessible to the user running the
application server, and potentially perform other more advanced XXE attacks

It was found that Apache POI would expand an unlimited number of entities in
OOXML documents. A remote attacker able to supply OOXML documents that are
parsed by Apache POI could use this flaw to trigger a denial of service
attack via excessive CPU and memory consumption (CVE-2014-3574).


Updated package in core/updates_testing:

from apache-poi-3.10.1-1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 Herman Viaene 2014-12-26 10:58:56 CET
MGA4-64 on HP Probook 6555b KDE.
Found out that the apache-poi-3.10.1-1.mga4 was already installed (most probably from testing bug 13870 - resteasy), so the javadoc and manual were installed now. No issues.

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2014-12-26 11:03:55 CET
MGA4-32 on Acer D620 Xfce.
Same remark as above, no installation issues.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-12-26 11:12:46 CET
Validating. Advisory uploaded.

Please push to updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2014-12-26 18:05:48 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.