Fedora has issued an advisory on October 29: https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142709.html The issue is fixed upstream in 1.5.6. Fedora fixed it by update to 1.5.7. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Blocks: (none) => 14674
Removing Mageia 3 from the whiteboard due to EOL. I've checked the update into Mageia 4 and Cauldron SVN. It needs to be submitted (and hopefully it can be built). For Mageia 4, this update will also need the log4j12 that D Morgan imported into Mageia 4 updates_testing.
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOOCC: (none) => pterjan
Removed from Cauldron for now as it's not needed by anything that's currently there.
Blocks: 14674 => (none)Whiteboard: MGA4TOO => (none)Version: Cauldron => 4
Saving the advisory for later when this update actually gets built (the log4j12 package is built). Advisory: ======================== Updated xml-security packages fixes security vulnerability: Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures (CVE-2013-4517). The log4j12 has also been added to Mageia 4, as it was needed to build this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142709.html ======================== Updated package in core/updates_testing: ======================== log4j12-1.2.17-1.mga4 log4j12-javadoc-1.2.17-1.mga4 xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 from SRPMS: log4j12-1.2.17-1.mga4.src.rpm xml-security-1.5.7-1.mga4.src.rpm
The attempted build for Mageia 4 is looping on the build system.
Assignee: dmorganec => luigiwalser
I'm gonna need help with this one. I think it has an issue installing the BRs.
Assignee: luigiwalser => dmorganec
I think I figured it out. In Mageia 4 it doesn't need to use log4j12 because log4j is at version 1.2.17, so it should just use that. Could someone please kill the xml-security build in mga4 updates_testing that's looping so that I can resubmit it? Also, remove log4j12 from Mageia 4 updates_testing. Thanks.
CC: (none) => sysadmin-bugs
Indeed, removed log4j12 and removed it from upload queue.
Thanks. Now it fails to build: http://pkgsubmit.mageia.org/uploads/failure/4/core/updates_testing/20141226001118.luigiwalser.valstar.24571/log/xml-security-1.5.7-1.mga4/build.0.20141226001249.log It looks like it needs bouncycastle 1.50. I don't know what to do now.
It looks like I had synced changes into Mageia 4 from Fedora 21 instead of Fedora 20. I've fixed that and now it builds. Updated package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated xml-security packages fixes security vulnerability: Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures (CVE-2013-4517). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142709.html ======================== Updated package in core/updates_testing: ======================== xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 from xml-security-1.5.7-1.mga4.src.rpm
CC: sysadmin-bugs => (none)Assignee: dmorganec => qa-bugs
On Mageia4x64 real hardware Updated current packages from : xml-security-1.5.5-1.mga4 xml-security-javadoc-1.5.5-1.mga4 xml-security-demo-1.5.5-1.mga4 To testing packages : xml-security-1.5.7-1.mga4 xml-security-javadoc-1.5.7-1.mga4 xml-security-demo-1.5.7-1.mga4 No installation issue.
Whiteboard: (none) => MGA4-64-OKCC: (none) => olchal
MGA4-32 on Acer D620 Xfce. Installed xml-security-1.5.7-1.mga4 over existing xml-security-1.5.5-1.mga4. Other packages were not present. No installation problems.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OKCC: (none) => herman.viaene
Validating. Advisory uploaded. Please push to updates Thanks
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0558.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
For accounting purposes, this was reintroduced in Cauldron. It is version 1.5.7, so it's OK.