Fedora has issued an advisory on April 2: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181046.html The issue should be fixed by updating to version 3.2.2 (likely a sync with Cauldron). More info on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1316430
CC: (none) => geiger.david68210, mageia
Assigning to maintainer
CC: (none) => marja11Assignee: bugsquad => neoclust
I don't know why but version 3.2.2 does not built on mga5 (tried to compile locally and same issue). Seems to be a problem with build of javadoc, maybe due the the super-strict doclint checks since java 8. [INFO] <<< maven-javadoc-plugin:2.9.1:aggregate (default-cli) < generate-sources @ commons-collections <<< [INFO] [INFO] --- maven-javadoc-plugin:2.9.1:aggregate (default-cli) @ commons-collections --- [INFO] 37 errors 100 warnings [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 23.787 s [INFO] Finished at: 2016-04-08T05:08:00+00:00 [INFO] Final Memory: 31M/348M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.9.1:aggregate (default-cli) on project commons-collections: An error has occurred in JavaDocs report generation: [ERROR] Exit code: 1 - /home/iurt/rpmbuild/BUILD/commons-collections-3.2.2-src/src/java/org/apache/commons/collections/BeanMap.java:191: warning: empty <ul> tag [ERROR] * <ul> [ERROR] ^ [ERROR] /home/iurt/rpmbuild/BUILD/commons-collections-3.2.2-src/src/java/org/apache/commons/collections/BeanMap.java:191: error: element not closed: ul [ERROR] * <ul> @pterjan: an idea about this issue?
Well! done now for mga5! Thanks to pterjan to pointed me out a good workaround! :)
Advisory: ======================== Updated apache-commons-collections packages fix security vulnerability: Due to an issue with serialization, Java applications can be vulnerable to malicious remote code execution when the apache-commons-collections library is on the classpath (CVE-2015-8103). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181046.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-collections-3.2.2-1.mga5 apache-commons-collections-testframework-3.2.2-1.mga5 apache-commons-collections-javadoc-3.2.2-1.mga5 apache-commons-collections-testframework-javadoc-3.2.2-1.mga5 from apache-commons-collections-3.2.2-1.mga5.src.rpm
Assignee: neoclust => qa-bugsSeverity: normal => critical
Note: apache-commons-collections-testframework-javadoc is no more provides, so here an new updated list: Updated packages in 5/core/updates_testing: ======================== apache-commons-collections-3.2.2-1.mga5 apache-commons-collections-testframework-3.2.2-1.mga5 apache-commons-collections-javadoc-3.2.2-1.mga5 from apache-commons-collections-3.2.2-1.mga5.src.rpm
Got a simple test for this one?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #6) > Got a simple test for this one? Make sure it installs and upgrades cleanly from the previous version, that's all.
In VirtualBox, M5, KDE, 32-bit Package(s) under test: apache-commons-collections default install of apache-commons-collections [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.1-24.1.mga5.noarch is already installed Installs cleanly Install apache-commons-collections from updates_testing [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.2-1.mga5.noarch is already installed Updates cleanly
Whiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: apache-commons-collections default install of apache-commons-collections [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.1-24.1.mga5.noarch is already installed Installs cleanly Install apache-commons-collections from updates_testing [root@localhost wilcal]# urpmi apache-commons-collections Package apache-commons-collections-3.2.2-1.mga5.noarch is already installed Updates cleanly
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
For me this update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Ensured no conflicts with the other packages and javadoc correctly obsoleted. Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0137.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed two other issues: https://nvd.nist.gov/vuln/detail/CVE-2015-6420 https://nvd.nist.gov/vuln/detail/CVE-2017-15708