Upstream has issued an advisory today (October 24): http://openwall.com/lists/oss-security/2014/10/24/8 The issues are fixed upstream in 2.7.8 and 2.6.11. For CVE-2014-3584, Mageia 3 and Mageia 4 are also affected. For CVE-2014-3623, Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
CVE-2014-3623 is actually in wss4j, which would bundled in binary distributions of cxf, but for our purposes is its own package. I'll split this bug. The wss4j package does exist in Mageia 3 and is likely also affected.
Blocks: (none) => 14484
Blocks: 14484 => (none)
wss4j CVE-2014-3623 is now Bug 14484.
Summary: cxf new security issues CVE-2014-3584 and CVE-2014-3623 => cxf new security issue CVE-2014-3584
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOVersion: Cauldron => 4CC: (none) => mageia
Dropping Mageia 3 from the whiteboard due to EOL. For now, this package still isn't in Cauldron (thankfully). Version 2.7.14 upstream has been announced, fixing another security issue (CVE-2014-3577) and disabling SSLv3 by default, mitigating POODLE: http://openwall.com/lists/oss-security/2014/12/22/7
Summary: cxf new security issue CVE-2014-3584 => cxf new security issues CVE-2014-3584 and CVE-2014-3577Whiteboard: MGA3TOO => (none)Severity: normal => major
Fedora also has yet to address these issues.
It doesn't appear that any packages require or buildrequire any of the cxf SRPM subpackages, so it should *not* be reintroduced into Cauldron. Patches for these CVEs appear upstream. CVE-2014-3584: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=0b3894f57388b9955f2c33b2295223f2835cd7b3 CVE-2014-3577: https://github.com/apache/cxf/commit/e227a1a9ee536a33c550683405a766bf5e906873 Both patches apply to the version we have in Mageia 4 (2.7.5). Patched package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated cxf packages fix security vulnerabilities: An Apache CXF JAX-RS service can process SAML tokens received in the authorization header of a request via the SamlHeaderInHandler. However it is possible to cause an infinite loop in the parsing of this header by passing certain bad values for the header, leading to a Denial of Service attack on the service (CVE-2014-3584). Apache CXF is vulnerable to a possible SSL hostname verification bypass, due to a flaw in comparing the server hostname to the domain name in the Subject's DN field. A Man In The Middle attack can exploit this vulnerability by using a specially crafted Subject DN to spoof a valid certificate (CVE-2014-3577). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3584 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577 http://cxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc http://cxf.apache.org/security-advisories.data/CVE-2014-3577.txt.asc https://bugzilla.redhat.com/show_bug.cgi?id=1157330 https://bugzilla.redhat.com/show_bug.cgi?id=1129074 ======================== Updated package in core/updates_testing: ======================== cxf-2.7.5-3.1.mga4 cxf-javadoc-2.7.5-3.1.mga4 cxf-api-2.7.5-3.1.mga4 cxf-maven-plugins-2.7.5-3.1.mga4 cxf-rt-2.7.5-3.1.mga4 cxf-services-2.7.5-3.1.mga4 cxf-tools-2.7.5-3.1.mga4 from cxf-2.7.5-3.1.mga4.src.rpm
Assignee: dmorganec => qa-bugsSeverity: major => critical
Testing in Mageia 4x64 virtualbox Updated from current packages : ----------------------------- cxf-2.7.5-3.mga4 cxf-javadoc-2.7.5-3.mga4 cxf-api-2.7.5-3.mga4 cxf-maven-plugins-2.7.5-3.mga4 cxf-rt-2.7.5-3.mga4 cxf-services-2.7.5-3.mga4 cxf-tools-2.7.5-3.mga4 To testing packages : ------------------- cxf-2.7.5-3.1.mga4 cxf-javadoc-2.7.5-3.1.mga4 cxf-api-2.7.5-3.1.mga4 cxf-maven-plugins-2.7.5-3.1.mga4 cxf-rt-2.7.5-3.1.mga4 cxf-services-2.7.5-3.1.mga4 cxf-tools-2.7.5-3.1.mga4 Installation without any problem.
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
MGA4-64 on HP Probook 6555b New versions install wirhout problems.
CC: (none) => herman.viaene
MGA4-32 on Acer D620 Xfce. New versions install without problems.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory has_procedure MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0557.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/628228/