Ubuntu has issued an advisory on March 30: http://www.ubuntu.com/usn/usn-2551-1/ I have added Ubuntu's patch (large set of backported changes from upstream) in SVN. I also had to patch it to not force source="1.4" for part of the build, as this breaks with the updated code. I'm not sure how Ubuntu was able to avoid having to do the same. The patches are in Mageia 4 and Cauldron SVN. If this looks OK, we can push it. However, all of this jakarta stuff is obsolete and should be removed from the distro ASAP (obviously just in Cauldron). This package should be replaced by tomcat-taglibs-standard. Reproducible: Steps to Reproduce:
Pascal and David, please see Comment 0.
CC: (none) => geiger.david68210, pterjanWhiteboard: (none) => MGA5TOO, MGA4TOO
Ok, I've look on your current change and your Patch6 (do-not-use-1.4.patch) is not needed you can remove it, so you have just to change/rediff the jakarta-taglibs-standard-1.1.1-build.patch and replace source="1.4" by source="1.5": Index: jakarta-taglibs-standard-1.1.1-build.patch =================================================================== --- jakarta-taglibs-standard-1.1.1-build.patch (révision 819469) +++ jakarta-taglibs-standard-1.1.1-build.patch (copie de travail) @@ -19,7 +19,7 @@ deprecation="${compile.deprecation}" - optimize="${compile.optimize}"/> + optimize="${compile.optimize}" -+ source="1.4"/> ++ source="1.5"/> <!-- copy the TLDs in META-INF --> <copy todir="${build.library}/META-INF"> @@ -29,7 +29,7 @@ deprecation="${compile.deprecation}" - optimize="${compile.optimize}"/> + optimize="${compile.optimize}" -+ source="1.4"/> ++ source="1.5"/> <!-- Copy web.xml + examples TLD --> <copy todir="${build.examples}/WEB-INF"> This is valid for Cauldron and mga4.
Thanks David! I missed that patch0 had set that. Fixed in SVN now.
Patched packages uploaded for Mageia 4 and Cauldron. This can be tested by just ensuring the updated packages install cleanly. Advisory: ======================== Updated jakarta-taglibs-standard packages fix security vulnerability: David Jorm discovered that the Apache Standard Taglibs incorrectly handled external XML entities. A remote attacker could possibly use this issue to execute arbitrary code or perform other external XML entity attacks (CVE-2015-0254). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254 http://www.ubuntu.com/usn/usn-2551-1/ ======================== Updated packages in core/updates_testing: ======================== jakarta-taglibs-standard-1.1.2-12.1.mga4 jakarta-taglibs-standard-javadoc-1.1.2-12.1.mga4 from jakarta-taglibs-standard-1.1.2-12.1.mga4.src.rpm
Version: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing complete mga4 64 Just ensured the packages update cleanly.
Whiteboard: (none) => has_procedure mga4-64-ok
validating. advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0140.html
Status: NEW => RESOLVEDResolution: (none) => FIXED