15254 – owasp-esapi-java new security issue CVE-2013-5679

Bug 15254 - owasp-esapi-java new security issue CVE-2013-5679

Summary: owasp-esapi-java new security issue CVE-2013-5679

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/629679/
Whiteboard:	has_procedure advisory mga4-64-ok mga...
Keywords:	validated_update

Depends on:
Blocks:	15051
	Show dependency tree / graph

Reported:	2015-02-10 14:52 CET by David Walser
Modified:	2015-02-11 21:48 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	owasp-esapi-java-2.0.1-10.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-02-10 14:52:01 CET

+++ This bug was initially created as a clone of Bug #15051 +++

Fedora has issued advisories on January 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148092.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html

They fixed it by updating to 2.1.0.

Note that it should BR log4j on Mageia 4 and log4j12 on Cauldron.

Mageia 4 is also affected.

David Walser 2015-02-10 14:53:19 CET

Blocks: (none) => 15051
Depends on: 15051 => (none)

Comment 1 David Walser 2015-02-10 14:57:20 CET

Updated package uploaded for Mageia 4.

Just test that the package installs cleanly.

Advisory:
========================

Updated owasp-esapi-java packages fix security vulnerability:

The authenticated-encryption feature in the symmetric-encryption
implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x
before 2.1.0 does not properly resist tampering with serialized ciphertext,
which makes it easier for remote attackers to bypass intended cryptographic
protection mechanisms via an attack against authenticity in the default
configuration, involving a null MAC and a zero MAC length (CVE-2013-5679).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5679
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html
========================

Updated packages in core/updates_testing:
========================
owasp-esapi-java-2.1.0-1.mga4
owasp-esapi-java-javadoc-2.1.0-1.mga4
owasp-esapi-java-doc-2.1.0-1.mga4

from owasp-esapi-java-2.1.0-1.mga4.src.rpm

CC: geiger.david68210, pterjan => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2015-02-11 13:53:29 CET

Testing complete mga4 64

As with most java packages, just verified it updates cleanly. 
Comes with 270 dependencies.


Advisory uploaded.

Whiteboard: has_procedure => has_procedure advisory mga4-64-ok

Comment 3 David Walser 2015-02-11 19:27:29 CET

Confirmed that it installs fine on Mageia 4 i586 as well.  Validating.

Please push to core/updates.  Thanks.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-02-11 21:48:50 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0064.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.