Fedora has issued an advisory on September 9: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => (none)Version: Cauldron => 4CC: (none) => mageia
Probably on its way back to Cauldron, but it has been re-synced with Fedora 21 in Cauldron SVN, updating it to 3.10.1 and fixing this. Update synced with Fedora 20 checked into Mageia 4 SVN.
Updated package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated apache-poi packages fixes security vulnerability: It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks (CVE-2014-3529). It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption (CVE-2014-3574). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html ======================== Updated package in core/updates_testing: ======================== apache-poi-3.10.1-1.mga4 apache-poi-javadoc-3.10.1-1.mga4 apache-poi-manual-3.10.1-1.mga4 from apache-poi-3.10.1-1.mga4.src.rpm
Assignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b KDE. Found out that the apache-poi-3.10.1-1.mga4 was already installed (most probably from testing bug 13870 - resteasy), so the javadoc and manual were installed now. No issues.
Whiteboard: (none) => MGA4-64-OKCC: (none) => herman.viaene
MGA4-32 on Acer D620 Xfce. Same remark as above, no installation issues.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0550.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED