This security issue was fixed: - bsc#814241: Fixed possible DoS through very long attribute names
I don't know if this vulnerability needs reporting so I am using this to learn more about the process. I can't read the reference quoted (https://bugzilla.suse.com/814241) as I don't have permission. Our latest changelog reads: Wed Feb 24 2016 neoclust <neoclust> 2.11.0-25.mga6 + Revision: 978554 - First rebuild of the java stack - sync package xerces-j2 with fedora + umeabot - Mageia 6 Mass Rebuild OK so look at Fedora 23 Changelog for xerces-j2-2.11.0-23.fc23.noarch.rpm : Fri Jun 19 14:00:00 2015 Fedora Release Engineering - 2.11.0-23 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild Wed Sep 10 14:00:00 2014 Mat Booth - 2.11.0-22 - Add patch for CVE-2013-4002, rhbz #1140031 - Fix ownership of javadoc directory Mon Aug 11 14:00:00 2014 Mikolaj Izdebski - 2.11.0-21 - Workaround regression in %add_maven_depmap -a parameter handling Mon Aug 11 14:00:00 2014 Mikolaj Izdebski - 2.11.0-20 - Add alias for apache:xerces-j2 Sun Jun 8 14:00:00 2014 Fedora Release Engineering - 2.11.0-19 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild No mention of DOS via long attribute names. So is this reportable and what would be the next stage?
CVE: (none) => http://lwn.net/Alerts/686276/Source RPM: (none) => xerces-j2-2.11.0-25.mga6.src.rpm
OpenSuSE has issued an advisory for this on May 4: https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html You can see the two patches they added here: https://build.opensuse.org/package/show/openSUSE:13.2:Update/xerces-j2 Someone can check if they're relevant to our package.
URL: (none) => http://lwn.net/Vulnerabilities/686293/Summary: openSUSE alert openSUSE-SU-2016:1216-1 (xerces-j2) => xerces-j2 new DoS security issue
(In reply to David Walser from comment #2) > OpenSuSE has issued an advisory for this on May 4: > https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html > > You can see the two patches they added here: > https://build.opensuse.org/package/show/openSUSE:13.2:Update/xerces-j2 > > Someone can check if they're relevant to our package. Assigning to all packagers collectively for that, since there is no maintainer for this package.
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
CC: (none) => mageiaAssignee: pkg-bugs => geiger.david68210
xerces-j2-scan-pseudo-attribute.patch is already in the package as xerces-j2-CVE-2013-4002.patch. xerces-j2-arrays-doubling.patch has been added in Mageia 5 and Cauldron. Advisory: ======================== Updated xerces-j2 packages fix security vulnerability: A possible denial of service issue from overflowing an array has been fixed in the xerces-j2 package. References: https://lists.opensuse.org/opensuse-updates/2016-05/msg00016.html ======================== Updated packages in core/updates_testing: ======================== xerces-j2-2.11.0-14.1.mga5 xerces-j2-javadoc-2.11.0-14.1.mga5 xerces-j2-demo-2.11.0-14.1.mga5 from xerces-j2-2.11.0-14.1.mga5.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 5Assignee: geiger.david68210 => qa-bugs
Testing on x86_64 hardware. xerces is a package concerned with parsing xml data. Before the update freeplane ran fine. It is listed as one of the whatrequires. Could not find how to access the xerces-j2 demo programs but there is a sample program available in the documentation which will be added as an attachment some time to exercise the package via nekohtml. Updated the three packages from updates testing and ran freeplane again. This is a mind-mapping application presented in a java gui. $ freeplane Launches the gui with a sample mind-map. Clicking on calculate takes you to a tutorial of sorts in a browser. Goto the meet note and click on beginner. This uses the icedtea browser plugin to show ideas for a planned meeting. Clicking on the tips of some of the branches gives more details. It all works smoothly. Back in the gui filter leads to an in-gui freeplane tutorial. OK for 64-bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Tested in i586 virtualbox using freeplane both before and after the update. Followed a couple of links to web tutorials. All looks fine. Good enough to validate.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0205.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
openSUSE has issued another advisory referencing this issue: https://lists.opensuse.org/opensuse-updates/2017-10/msg00076.html I think they just forgot to patch this issue in Leap before. They did fix two new regular bugs though, and we should probably at least add the new patch in Cauldron: https://build.opensuse.org/package/rdiff/openSUSE:Maintenance:7388/xerces-j2.openSUSE_Leap_42.2_Update?linkrev=base&rev=2
Apparently the code already has the changes from that patch, so we're good.