Bug 16461 - hornetq new security issue CVE-2015-3208
Summary: hornetq new security issue CVE-2015-3208
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-24 17:12 CEST by David Walser
Modified: 2021-07-01 18:13 CEST (History)
3 users (show)

See Also:
Source RPM: hornetq-2.4.7-4.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-07-24 17:12:35 CEST 
A security issue fixed upstream in HornetQ has been announced:
http://openwall.com/lists/oss-security/2015/07/24/2

The message above contains a link to the upstream commit to fix the issue.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-24 17:12:55 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO
CC: (none) => geiger.david68210, pterjan

Comment 1 David Walser 2015-07-27 21:34:51 CEST 
Looking at the upstream commit, I can't find the affected Java class file to patch it.  Do we not have the affected code?  Is it in another SRPM or tarball?
Comment 2 Rémi Verschelde 2015-09-03 16:38:23 CEST 
Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3208

As usual they're mega verbose about the way they resolved the issue... But this time they closed it as WONTFIX without explication, and it blocks a private bug report. Not sure what to make of that.
Comment 3 David Walser 2015-09-03 16:41:16 CEST 
You have to be careful looking at RedHat's CVE bugs, as their resolution only applies to RHEL.  A lot of times they close them as WONTFIX or INVALID for RHEL, but it blocks the "fedora-all" tracker bug for the same CVE for Fedora, where they still have to fix it.
Comment 4 Rémi Verschelde 2015-09-03 17:00:08 CEST 
Ah right, so I guess in this case they chose to give up on RHEL, but they kept the fedora-all tracker bug hidden. It's also striked through though, so I guess they also resolved it in one way or another.
Comment 5 Marja Van Waes 2016-04-05 11:20:34 CEST 
Assuming this bug is still valid, at least for Mga5, because we still have hornetq-2.4.1-2.mga5 there.

Assigning to maintainer

Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO
Source RPM: hornetq-2.4.1-2.mga5.src.rpm => hornetq-2.4.1-2.mga5
Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 6 David GEIGER 2016-04-05 11:55:28 CEST 
I think we can close this bug as a WONTFIX like fedora/redhat.
Comment 7 Nicolas Lécureuil 2016-11-18 11:41:03 CET 
closing

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 8 David Walser 2018-10-17 23:23:24 CEST 
RedHat fixed this in Satellite 6.4:
https://access.redhat.com/errata/RHSA-2018:2927

Source RPM: hornetq-2.4.1-2.mga5 => hornetq-2.4.7-4.mga7.src.rpm
Status: RESOLVED => REOPENED
Whiteboard: MGA5TOO => MGA6TOO
Resolution: WONTFIX => (none)

David Walser 2019-06-23 19:29:00 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:03:42 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 9 Nicolas Lécureuil 2020-12-26 23:27:02 CET 
not in cauldron anymore

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 10 David Walser 2021-07-01 18:13:24 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: REOPENED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.