Fedora has issued advisories on January 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148092.html https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html They fixed it by updating to 2.1.0. Note that it should BR log4j on Mageia 4 and log4j12 on Cauldron. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => pterjanBlocks: (none) => 14674Whiteboard: (none) => MGA4TOO
owasp-esapi-java-2.1.0-1.mga5 uploaded for Cauldron.
CC: (none) => geiger.david68210Version: Cauldron => 4Blocks: 14674 => (none)Whiteboard: MGA4TOO => (none)
The 2.1.0 update actually only addresses CVE-2013-5679. The CVE-2013-5960 issue is currently only fixed in SVN and will be fixed in the 2.1.1 release (not available yet). I see at least these commits relevant to it: https://code.google.com/p/owasp-esapi-java/source/detail?r=1908 https://code.google.com/p/owasp-esapi-java/source/detail?r=1909 https://code.google.com/p/owasp-esapi-java/source/detail?r=1949
Blocks: (none) => 15254
I've cloned to Bug 15254 to handle the Mageia 4 update for CVE-2013-5679. This bug will now be for CVE-2013-5960, which will have to be addressed later.
Version: 4 => CauldronBlocks: 15254 => (none)Depends on: (none) => 15254Summary: owasp-esapi-java new security issues CVE-2013-5679 and CVE-2013-5960 => owasp-esapi-java new security issue CVE-2013-5960Whiteboard: (none) => MGA4TOO
Dropped from Cauldron as it's not needed by anything there.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
changes were in 4 svn but not in the repo ( i don't know why ). I pushed i and it build.
CC: (none) => mageia
2.1.0 in SVN was already pushed as an update fixing CVE-2013-5679 as I said in Comment 3. CVE-2013-5960 was not fixed by that, it's only fixed in upstream's version control repository.
sorry :) looking now for CVE-2013-5960
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 5. Closing this as OLD.
Status: NEW => RESOLVEDResolution: (none) => OLD