Bug 19029 - apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626
Summary: apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
: 22472 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-07-22 22:31 CEST by David Walser
Modified: 2019-10-23 13:03 CEST (History)
3 users (show)

See Also:
Source RPM: apache-poi-3.14-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 3.17

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-22 22:31:51 CEST 
Upstream has issued an advisory today (July 22):
http://openwall.com/lists/oss-security/2016/07/22/2

The issue is fixed in 3.14.

Fedora Rawhide has 3.14 (24 is still on 3.13).

Mageia 5 is also affected.
David Walser 2016-07-22 22:32:02 CEST

CC: (none) => geiger.david68210

David Walser 2016-08-11 21:18:03 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-03-21 00:44:07 CET 
Upstream has issued an advisory today (March 20):
http://openwall.com/lists/oss-security/2017/03/20/9

The issue is fixed in 3.15.

Summary: apache-poi new security issue CVE-2016-5000 => apache-poi new security issues CVE-2016-5000 and CVE-2017-5644

Comment 2 Nicolas Lécureuil 2017-05-18 09:24:42 CEST 
have now apache-poi 3.14.

Looking to upgrade to a newer if possible
Nicolas Lécureuil 2017-05-18 10:32:56 CEST

See Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=1434522

Nicolas Lécureuil 2017-05-26 13:34:49 CEST

Source RPM: apache-poi-3.13-2.mga6.src.rpm => apache-poi-3.14-1.mga6.src.rpm

David Walser 2017-06-05 01:38:07 CEST

Status comment: (none) => Fixed upstream in 3.15

David Walser 2017-07-07 04:23:24 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 3 David Walser 2017-12-27 01:02:06 CET 
We still need to fix this, but won't be for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 4 Marc Krämer 2018-01-17 18:34:54 CET 
Is Nicolas still with us?
I see a bunch of bugs assigned to him, but no progress anymore. Maybe we should assign it back to "All packagers"

CC: (none) => mageia

Comment 5 David Walser 2018-01-17 18:52:09 CET 
He is, but the bugs for Java packages don't tend to get a lot of attention.  It's further complicated by the fact that when Fedora does these kind of issues, sometimes try to sync in their update breaks things, and other times even Fedora neglects to fix security issues.
Comment 6 David Walser 2018-04-27 18:55:00 CEST 
Fedora has issued an advisory today (April 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/STKLIH57QLIVDD6JBCDLQTSNP5AIBRDD/

A new issue is fixed upstream in 3.17.

Summary: apache-poi new security issues CVE-2016-5000 and CVE-2017-5644 => apache-poi new security issues CVE-2016-5000, CVE-2017-5644, CVE-2017-12626
Status comment: Fixed upstream in 3.15 => Fixed upstream in 3.17

Comment 7 David Walser 2019-01-01 04:56:40 CET 
Updated to 3.17 in Cauldron by David Geiger.

Version: Cauldron => 6
CC: (none) => mageia
Assignee: mageia => java
Whiteboard: MGA6TOO => (none)

Comment 8 David Walser 2019-01-01 04:58:49 CET 
Upstream has issued an advisory on January 26 for CVE-2017-12626:
http://openwall.com/lists/oss-security/2018/01/26/7
Comment 9 David Walser 2019-01-01 04:59:09 CET 
*** Bug 22472 has been marked as a duplicate of this bug. ***
Comment 10 David Walser 2019-10-23 13:03:16 CEST 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.