Fedora has issued an advisory on February 15: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html Fedora changes and patch synced into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Patched packages uploaded for Mageia 4 and Cauldron. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated apache-poi packages fixes security vulnerability: A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely (CVE-2014-9527). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9527 https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html ======================== Updated package in core/updates_testing: ======================== apache-poi-3.10.1-1.1.mga4 apache-poi-javadoc-3.10.1-1.1.mga4 apache-poi-manual-3.10.1-1.1.mga4 from apache-poi-3.10.1-1.1.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Installs/upgrades fine on Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing complete mga4 64 Agree with the testing, it's a java package and this is usually about all we can do with them. I experimented with some examples but had no joy. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
Fortunately this particular package has a build-time testsuite, so we can have a little bit more confidence in it at least.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0087.html
Status: NEW => RESOLVEDResolution: (none) => FIXED