Upstream has issued an advisory today (July 22): http://openwall.com/lists/oss-security/2016/07/22/2 The issue is fixed in 3.14. Fedora Rawhide has 3.14 (24 is still on 3.13). Mageia 5 is also affected.
CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO
Upstream has issued an advisory today (March 20): http://openwall.com/lists/oss-security/2017/03/20/9 The issue is fixed in 3.15.
Summary: apache-poi new security issue CVE-2016-5000 => apache-poi new security issues CVE-2016-5000 and CVE-2017-5644
have now apache-poi 3.14. Looking to upgrade to a newer if possible
See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1434522
Source RPM: apache-poi-3.13-2.mga6.src.rpm => apache-poi-3.14-1.mga6.src.rpm
Status comment: (none) => Fixed upstream in 3.15
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
We still need to fix this, but won't be for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Is Nicolas still with us? I see a bunch of bugs assigned to him, but no progress anymore. Maybe we should assign it back to "All packagers"
CC: (none) => mageia
He is, but the bugs for Java packages don't tend to get a lot of attention. It's further complicated by the fact that when Fedora does these kind of issues, sometimes try to sync in their update breaks things, and other times even Fedora neglects to fix security issues.
Fedora has issued an advisory today (April 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/STKLIH57QLIVDD6JBCDLQTSNP5AIBRDD/ A new issue is fixed upstream in 3.17.
Summary: apache-poi new security issues CVE-2016-5000 and CVE-2017-5644 => apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626Status comment: Fixed upstream in 3.15 => Fixed upstream in 3.17
Updated to 3.17 in Cauldron by David Geiger.
Version: Cauldron => 6CC: (none) => mageiaAssignee: mageia => javaWhiteboard: MGA6TOO => (none)
Upstream has issued an advisory on January 26 for CVE-2017-12626: http://openwall.com/lists/oss-security/2018/01/26/7
*** Bug 22472 has been marked as a duplicate of this bug. ***
Mageia 6 is EOL.
Status: NEW => RESOLVEDResolution: (none) => OLD