14484 – wss4j new security issue CVE-2014-3623

Bug 14484 - wss4j new security issue CVE-2014-3623

Summary: wss4j new security issue CVE-2014-3623

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/619477/
Whiteboard:	advisory MGA4-32-OK MGA4-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-11-07 20:53 CET by David Walser
Modified:	2014-12-26 18:05 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	wss4j-1.6.10-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-11-07 20:53:30 CET

+++ This bug was initially created as a clone of Bug #14363 +++

Upstream has issued an advisory today (October 24):
http://openwall.com/lists/oss-security/2014/10/24/8

The issues are fixed upstream in cxf 2.7.8 and 2.6.11.

The CVE-2014-3623 issue is actually in the wss4j package.

Mageia 3 and Mageia 4 are likely both affected as well.

David Walser 2014-11-07 20:54:02 CET

Depends on: 14363 => (none)
Whiteboard: (none) => MGA4TOO, MGA3TOO
Source RPM: cxf-2.7.5-3.mga4.src.rpm => wss4j-1.6.10-3.mga4.src.rpm
Assignee: bugsquad => dmorganec

Comment 1 David Walser 2014-11-07 20:55:36 CET

Duplicate LWN tracker for this:
http://lwn.net/Vulnerabilities/619478/

URL: (none) => http://lwn.net/Vulnerabilities/619477/

Comment 2 Sander Lepik 2014-11-22 16:02:44 CET

Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Version: Cauldron => 4
CC: (none) => mageia

Comment 3 David Walser 2014-12-24 22:58:57 CET

This package is still gone from Cauldron for now (thankfully).

It has been updated in Mageia 4 SVN to 1.6.17 to fix this and synced with fedora 20.

Dropping Mageia 3 from the whiteboard due to EOL.

Whiteboard: MGA3TOO => (none)

Comment 4 David Walser 2014-12-24 23:43:38 CET

Fedora has issued an advisory for this on October 28:
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142746.html

Updated package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated wss4j packages fixes security vulnerability:

Apache WSS4J before 1.6.17, when using TransportBinding, does not properly
enforce the SAML SubjectConfirmation method security semantics, which allows
remote attackers to conduct spoofing attacks via unspecified vectors
(CVE-2014-3623).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3623
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142746.html
========================

Updated package in core/updates_testing:
========================
wss4j-1.6.17-1.mga4
wss4j-javadoc-1.6.17-1.mga4

from wss4j-1.6.17-1.mga4.src.rpm

Severity: normal => major
Assignee: dmorganec => qa-bugs

Comment 5 Herman Viaene 2014-12-26 11:40:34 CET

MGA4-64 on HP Probook 6555b KDE
MGA4-32 on Acer D620 Xfce.
No issues on both.

Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
CC: (none) => herman.viaene

Comment 6 claire robinson 2014-12-26 11:47:42 CET

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK

Comment 7 Mageia Robot 2014-12-26 18:05:54 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0552.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.