Upstream has issued an advisory today (October 24):
The issues are fixed upstream in 2.7.8 and 2.6.11.
For CVE-2014-3584, Mageia 3 and Mageia 4 are also affected.
For CVE-2014-3623, Mageia 4 is also affected.
Steps to Reproduce:
CVE-2014-3623 is actually in wss4j, which would bundled in binary distributions of cxf, but for our purposes is its own package. I'll split this bug. The wss4j package does exist in Mageia 3 and is likely also affected.
wss4j CVE-2014-3623 is now Bug 14484.
cxf new security issues CVE-2014-3584 and CVE-2014-3623 =>
cxf new security issue CVE-2014-3584
Dropped from cauldron.
MGA4TOO, MGA3TOO =>
Dropping Mageia 3 from the whiteboard due to EOL.
For now, this package still isn't in Cauldron (thankfully).
Version 2.7.14 upstream has been announced, fixing another security issue (CVE-2014-3577) and disabling SSLv3 by default, mitigating POODLE:
cxf new security issue CVE-2014-3584 =>
cxf new security issues CVE-2014-3584 and CVE-2014-3577Whiteboard:
Fedora also has yet to address these issues.
It doesn't appear that any packages require or buildrequire any of the cxf SRPM subpackages, so it should *not* be reintroduced into Cauldron.
Patches for these CVEs appear upstream.
Both patches apply to the version we have in Mageia 4 (2.7.5).
Patched package uploaded for Mageia 4.
Verifying that the updated packages install cleanly is sufficient for testing this update.
Updated cxf packages fix security vulnerabilities:
An Apache CXF JAX-RS service can process SAML tokens received in the
authorization header of a request via the SamlHeaderInHandler. However it is
possible to cause an infinite loop in the parsing of this header by passing
certain bad values for the header, leading to a Denial of Service attack on
the service (CVE-2014-3584).
Apache CXF is vulnerable to a possible SSL hostname verification bypass, due
to a flaw in comparing the server hostname to the domain name in the Subject's
DN field. A Man In The Middle attack can exploit this vulnerability by using
a specially crafted Subject DN to spoof a valid certificate (CVE-2014-3577).
Updated package in core/updates_testing:
Testing in Mageia 4x64 virtualbox
Updated from current packages :
To testing packages :
Installation without any problem.
MGA4-64 on HP Probook 6555b
New versions install wirhout problems.
MGA4-32 on Acer D620 Xfce.
New versions install without problems.
Validating. Advisory uploaded.
Please push to updates
MGA4-32-OK MGA4-64-OK =>
advisory has_procedure MGA4-32-OK MGA4-64-OKKeywords:
An update for this issue has been pushed to Mageia Updates repository.