Fedora has issued an advisory on April 26: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html The issue is fixed in version 1.4.9. Mageia 5 is also affected.
CC: (none) => geiger.david68210, pterjanWhiteboard: (none) => MGA5TOO
Fixed in xstream-1.4.9-1.mga6 for Cauldron by David.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Hmmm! mga5 java stack seems a bit broken now! I can't build xstream 1.4.9 and even the current one I get this error: + python /usr/share/java-utils/pom_editor.py pom_xpath_set 'pom:project/pom:dependencies/pom:dependency[pom:groupId = '\''org.codehaus.woodstox'\'' ]/pom:artifactId' woodstox-core-asl xstream Error in processing xstream/pom.xml Syntax error in injected XML: attributes construct error, line 1, column 48. Usage: %pom_xpath_set <XPath> <new contents> [POM location] Same error if I test with another java package. @pterjan: have you any idea what can be broke now on mga5?
@ daviddavid Assigning to you, since you're already working on it
CC: (none) => marja11Assignee: bugsquad => geiger.david68210
Done for mga5 too! Note that I had to update javapackages-tools adding a patch to fix missing space between xmlns declarations reported in comment 2. http://svnweb.mageia.org/packages?view=revision&revision=1008935
Assigning to QA, Advisory: ======================== Updated xstream packages fix security vulnerability: XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html ======================== Updated packages in 5/core/updates_testing: ======================== xstream-1.4.9-1.mga5 xstream-benchmark-1.4.9-1.mga5 xstream-hibernate-1.4.9-1.mga5 xstream-javadoc-1.4.9-1.mga5 xstream-parent-1.4.9-1.mga5 javapackages-tools-4.1.0-15.1.mga5 javapackages-tools-doc-4.1.0-15.1.mga5 javapackages-local-4.1.0-15.1.mga5 python-javapackages-4.1.0-15.1.mga5 maven-local-4.1.0-15.1.mga5 ivy-local-4.1.0-15.1.mga5 Source RPM: ======================== xstream-1.4.9-1.mga5.src.rpm javapackages-tools-4.1.0-15.1.mga5.src.rpm
Assignee: geiger.david68210 => qa-bugs
Thanks David! I would recommend tightening up the advisory as follows. Advisory: ======================== Updated xstream packages fix security vulnerability: XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system (CVE-2016-3674). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
MGA5-32 on AcerD620 Xfce No installation issues. No test procedure found and bug 12874 agreed on just a clean install would be sufficient, so OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => has_procedure MGA5-32-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0164.html
Status: NEW => RESOLVEDResolution: (none) => FIXED