A CVE has been assigned for a security issue in jsoup: http://openwall.com/lists/oss-security/2015/08/28/5 The pull request for the fix is linked in the message above. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO, MGA4TOO
package jsoup-1.8.3a is now submitted and uploaded for mga5/Core/Updates_testing and Cauldron too. What's for mga4? I think 1.6.1 version is not affected, as file "src/tes/java/org/jsoup/parser/XmlTreeBuilderTest.java" do not exist. But I can update to 1.8.3a version if it is necessary, I successful built it on my mga4 local machine.
src/main/java/org/jsoup/parser/Tokeniser.java is the affected file, but it does look like the affected code isn't there in 1.6.1 or is different enough that it probably doesn't have the same bug, so we'll leave this for Mageia 5. Thanks David! Advisory: ======================== Updated jsoup packages fix security vulnerability: Jsoup before 1.8.3 was vulnerable to a possible XSS issue in the validator, related to how it handled tags without a closing '>' when reaching EOF (CVE-2015-6748). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748 http://openwall.com/lists/oss-security/2015/08/28/5 ======================== Updated packages in core/updates_testing: ======================== jsoup-1.8.3a-1.1.mga5 jsoup-javadoc-1.8.3a-1.1.mga5 from jsoup-1.8.3a-1.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Any idea how to test this David?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > Any idea how to test this David? Just test that this one installs cleanly.
mga5 64 LANG=fr_FR.UTF-8 Installed packages : java-1.8.0-openjdk-headless-1.8.0.51-1.b16.1.mga5 javapackages-tools-4.1.0-15.mga5 Install jsoup-1.8.3a-1.1.mga5.noarch.rpm : no problem.
CC: (none) => yann.cantinWhiteboard: (none) => MGA5-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: jsoup jsoup-javadoc Default install of jsoup & jsoup-javadoc [root@localhost wilcal]# urpmi jsoup Package jsoup-1.7.2-4.mga5.noarch is already installed [root@localhost wilcal]# urpmi jsoup-javadoc Package jsoup-javadoc-1.7.2-4.mga5.noarch is already installed Packages installed without error Install jsoup & jsoup-javadoc from updates_testing [root@localhost wilcal]# urpmi jsoup Package jsoup-1.8.3a-1.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi jsoup-javadoc Package jsoup-javadoc-1.8.3a-1.1.mga5.noarch is already installed Packages updated without error
Whiteboard: MGA5-64-OK => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: jsoup jsoup-javadoc Default install of jsoup & jsoup-javadoc [root@localhost wilcal]# urpmi jsoup Package jsoup-1.7.2-4.mga5.noarch is already installed [root@localhost wilcal]# urpmi jsoup-javadoc Package jsoup-javadoc-1.7.2-4.mga5.noarch is already installed Packages installed without error Install jsoup & jsoup-javadoc from updates_testing [root@localhost wilcal]# urpmi jsoup Package jsoup-1.8.3a-1.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi jsoup-javadoc Package jsoup-javadoc-1.8.3a-1.1.mga5.noarch is already installed Packages updated without error
This update works fine. Testing complete for MGA5, 32-bit & 64-bit I don't see anything in the M4 update_testing repo for this. Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0340.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/656897/