Bug 15051 - owasp-esapi-java new security issue CVE-2013-5960
Summary: owasp-esapi-java new security issue CVE-2013-5960
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: D Morgan
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/629679/
Whiteboard:
Keywords:
Depends on: 15254
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-15 18:32 CET by David Walser
Modified: 2015-09-02 17:36 CEST (History)
3 users (show)

See Also:
Source RPM: owasp-esapi-java-2.0.1-10.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-01-15 18:32:59 CET 
Fedora has issued advisories on January 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148092.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html

They fixed it by updating to 2.1.0.

Note that it should BR log4j on Mageia 4 and log4j12 on Cauldron.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-15 18:33:19 CET

CC: (none) => pterjan
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-10 12:17:05 CET 
owasp-esapi-java-2.1.0-1.mga5 uploaded for Cauldron.

CC: (none) => geiger.david68210
Version: Cauldron => 4
Blocks: 14674 => (none)
Whiteboard: MGA4TOO => (none)

Comment 2 David Walser 2015-02-10 14:51:04 CET 
The 2.1.0 update actually only addresses CVE-2013-5679.  The CVE-2013-5960 issue is currently only fixed in SVN and will be fixed in the 2.1.1 release (not available yet).

I see at least these commits relevant to it:
https://code.google.com/p/owasp-esapi-java/source/detail?r=1908
https://code.google.com/p/owasp-esapi-java/source/detail?r=1909
https://code.google.com/p/owasp-esapi-java/source/detail?r=1949
David Walser 2015-02-10 14:52:01 CET

Blocks: (none) => 15254

Comment 3 David Walser 2015-02-10 14:53:19 CET 
I've cloned to Bug 15254 to handle the Mageia 4 update for CVE-2013-5679.

This bug will now be for CVE-2013-5960, which will have to be addressed later.

Version: 4 => Cauldron
Blocks: 15254 => (none)
Depends on: (none) => 15254
Summary: owasp-esapi-java new security issues CVE-2013-5679 and CVE-2013-5960 => owasp-esapi-java new security issue CVE-2013-5960
Whiteboard: (none) => MGA4TOO

Comment 4 David Walser 2015-05-04 23:45:40 CEST 
Dropped from Cauldron as it's not needed by anything there.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 5 Nicolas Lécureuil 2015-05-11 00:48:54 CEST 
changes were in 4 svn but not in the repo ( i don't know why ).

I pushed i and it build.

CC: (none) => mageia

Comment 6 David Walser 2015-05-11 00:56:13 CEST 
2.1.0 in SVN was already pushed as an update fixing CVE-2013-5679 as I said in Comment 3.  CVE-2013-5960 was not fixed by that, it's only fixed in upstream's version control repository.
Comment 7 Nicolas Lécureuil 2015-05-11 00:57:21 CEST 
sorry :) looking now for CVE-2013-5960
Comment 8 David Walser 2015-09-02 17:36:47 CEST 
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.