It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference"). The issue should be fixed by applying the upstream patch: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 Mageia 5 is also affected. More info on the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1328427 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720
QA Contact: (none) => security
Assignee: bugsquad => geiger.david68210
Component: RPM Packages => Security
Whiteboard: (none) => MGA5TOO
Fixed for Cauldron and mga5 too! Assigning to QA, Advisory: ======================== Updated jackson-dataformat-xml packages fix security vulnerability: It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference") (CVE-2016-3720). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720 ======================== Updated packages in 5/core/updates_testing: ======================== jackson-dataformat-xml-2.4.3-3.1.mga5 jackson-dataformat-xml-javadoc-2.4.3-3.1.mga5 Source RPM: ======================== jackson-dataformat-xml-2.4.3-3.1.mga5.src.rpm
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Thanks David! Maybe we should add the RedHat bug to the references too? https://bugzilla.redhat.com/show_bug.cgi?id=1328427
Yes we can :) So please use this updated advisory: Advisory: ======================== Updated jackson-dataformat-xml packages fix security vulnerability: It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference") (CVE-2016-3720). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3720 https://bugzilla.redhat.com/show_bug.cgi?id=1328427 ========================
Created attachment 7774 [details] Suggested java insert for test program Examples need java headers etc. Run as e.g. java -jar test.jar
CC: (none) => tarazed25
A simple test for this package looks easy to write, if you are a java programmer. From the documentation at https://github.com/FasterXML/jackson-dataformat-xml and http://stackoverflow.com/questions/3527264/how-to-create-a-pojo a POJO (PlainOldJavaObject) could be serialized and presumably deserialized with XmlMapper, part of the Jackson extension. Not having any java expertise, I have taken the liberty of attaching example POJOs from the documentation together with suggested usage. All they need is a java framework I think.
Created attachment 7791 [details] Serialization test for Simple.java class Don't rename this or any of the files.
Attachment 7774 is obsolete: 0 => 1
Other attachments to follow.
The serialization and deserialization work fine so this can be passed for x86_64. In accordance with the policy of accepting tests of only one architecture it can be validated also. Shall polish up the tests later.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OKCC: (none) => sysadmin-bugs
Well done. Advisory uploaded.
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0175.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Created attachment 7795 [details] tarfile containing test files for jackson-dataformat-xml The tests run in a Bash shell.
Attachment 7791 is obsolete: 0 => 1
URL: (none) => http://lwn.net/Vulnerabilities/687596/