+++ This bug was initially created as a clone of Bug #15051 +++ Fedora has issued advisories on January 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148092.html https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html They fixed it by updating to 2.1.0. Note that it should BR log4j on Mageia 4 and log4j12 on Cauldron. Mageia 4 is also affected.
Blocks: (none) => 15051Depends on: 15051 => (none)
Updated package uploaded for Mageia 4. Just test that the package installs cleanly. Advisory: ======================== Updated owasp-esapi-java packages fix security vulnerability: The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length (CVE-2013-5679). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5679 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148081.html ======================== Updated packages in core/updates_testing: ======================== owasp-esapi-java-2.1.0-1.mga4 owasp-esapi-java-javadoc-2.1.0-1.mga4 owasp-esapi-java-doc-2.1.0-1.mga4 from owasp-esapi-java-2.1.0-1.mga4.src.rpm
CC: geiger.david68210, pterjan => (none)Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Testing complete mga4 64 As with most java packages, just verified it updates cleanly. Comes with 270 dependencies. Advisory uploaded.
Whiteboard: has_procedure => has_procedure advisory mga4-64-ok
Confirmed that it installs fine on Mageia 4 i586 as well. Validating. Please push to core/updates. Thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0064.html
Status: NEW => RESOLVEDResolution: (none) => FIXED