+++ This bug was initially created as a clone of Bug #14363 +++ Upstream has issued an advisory today (October 24): http://openwall.com/lists/oss-security/2014/10/24/8 The issues are fixed upstream in cxf 2.7.8 and 2.6.11. The CVE-2014-3623 issue is actually in the wss4j package. Mageia 3 and Mageia 4 are likely both affected as well.
Depends on: 14363 => (none)Whiteboard: (none) => MGA4TOO, MGA3TOOSource RPM: cxf-2.7.5-3.mga4.src.rpm => wss4j-1.6.10-3.mga4.src.rpmAssignee: bugsquad => dmorganec
Duplicate LWN tracker for this: http://lwn.net/Vulnerabilities/619478/
URL: (none) => http://lwn.net/Vulnerabilities/619477/
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOVersion: Cauldron => 4CC: (none) => mageia
This package is still gone from Cauldron for now (thankfully). It has been updated in Mageia 4 SVN to 1.6.17 to fix this and synced with fedora 20. Dropping Mageia 3 from the whiteboard due to EOL.
Whiteboard: MGA3TOO => (none)
Fedora has issued an advisory for this on October 28: https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142746.html Updated package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated wss4j packages fixes security vulnerability: Apache WSS4J before 1.6.17, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors (CVE-2014-3623). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3623 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142746.html ======================== Updated package in core/updates_testing: ======================== wss4j-1.6.17-1.mga4 wss4j-javadoc-1.6.17-1.mga4 from wss4j-1.6.17-1.mga4.src.rpm
Severity: normal => majorAssignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b KDE MGA4-32 on Acer D620 Xfce. No issues on both.
Whiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => herman.viaene
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0552.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED