openSUSE has issued an advisory today (October 14): https://lists.opensuse.org/opensuse-updates/2016-10/msg00051.html Cauldron may also be affected.
Fixed for both mga5 and Cauldron!
CC: (none) => geiger.david68210
Thanks David! Advisory: ======================== Updated derby packages fix security vulnerability: Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service (CVE-2016-1832). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832 https://lists.opensuse.org/opensuse-updates/2016-10/msg00051.html ======================== Updated packages in core/updates_testing: ======================== derby-10.10.2.0-1.1.mga5 derby-javadoc-10.10.2.0-1.1.mga5 from derby-10.10.2.0-1.1.mga5.src.rpm
Assignee: mageia => qa-bugs
running VB Mageia-5 64 bit After installing the derby packages I rebooted the instance. $ps -ef | grep derby reveals it is running $ cd /usr/bin $ derby-ij Next I follow the instructions in: https://builds.apache.org/job/Derby-docs/lastSuccessfulBuild/artifact/trunk/out/getstart/index.html start at step 5. After doing that I was able to confirm derby server is running and working as designed. ij> SELECT * FROM SECONDTABLE; ID |NAME -------------------------- 100 |ONE HUNDRED 200 |TWO HUNDRED 300 |THREE HUNDRED 3 rows selected I get the following when closing ij> exit; Sat Oct 29 16:18:43 CDT 2016 Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied) ---------------------------------------------------------------- Sat Oct 29 16:18:43 CDT 2016: Shutting down Derby engine ---------------------------------------------------------------- derby.log is sitting in /var/lib/derby - my user id doesn't have permission. However, I've confirmed this version of the database is up and running.
CC: (none) => brtians1Whiteboard: (none) => mga5-64-ok
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: mga5-64-ok => mga5-64-ok advisory
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0385.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE was incorrect the advisory in SVN. I corrected it there, so hopefully that gets propagated to the website soon.