RedHat has issued an advisory on November 3: https://rhn.redhat.com/errata/RHSA-2016-2604.html Theirs refers to an SRPM called resteasy-base, but the information on the security issue says resteasy, so I'm not sure, but we may be affected.
Whiteboard: (none) => MGA5TOO
According to fedora bugzilla this seems fixed in 3.0.17 release: https://bugzilla.redhat.com/show_bug.cgi?id=1378613
CC: (none) => geiger.david68210
Fixed on Cauldron with 3.0.17 updated version. But for mga5 as our current java stack is now pretty out of date (based on fc 21 that is no more supported by fedora themselves) I don't know how to fix this security.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
(In reply to David GEIGER from comment #2) > Fixed on Cauldron with 3.0.17 updated version. > > But for mga5 as our current java stack is now pretty out of date (based on > fc 21 that is no more supported by fedora themselves) I don't know how to > fix this security. @ neoclust wdyt?
CC: (none) => marja11Assignee: bugsquad => mageia
is is now on david hand, i explained him on irc how i think we can fix :)
Assignee: mageia => geiger.david68210
Fixed now for mga5 too!
CC: (none) => mageiaAssignee: geiger.david68210 => qa-bugs
Advisory: ======================== Updated resteasy packages fix security vulnerability: It was discovered that under certain conditions RESTEasy could be forced to parse a request with SerializableProvider, resulting in deserialization of potentially untrusted data. An attacker could possibly use this flaw to execute arbitrary code with the permissions of the application using RESTEasy (CVE-2016-7050). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7050 https://rhn.redhat.com/errata/RHSA-2016-2604.html ======================== Updated packages in core/updates_testing: ======================== resteasy-3.0.6-3.1.mga5 resteasy-javadoc-3.0.6-3.1.mga5 from resteasy-3.0.6-3.1.mga5.src.rpm
MGA5-32 on Acer D620 Xfce No installation issues Referring to bug 13870, this should be enough to OK the update (having googled in vain to find a simple testcase).
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing on mga5-64 The packages and 300+ dependencies installed cleanly $ rpm -q resteasy resteasy-javadoc resteasy-3.0.6-3.1.mga5 resteasy-javadoc-3.0.6-3.1.mga5 I can't find a practical way to test this application and a clean install of the previous resteasy security update was deemed an adequate test: https://bugs.mageia.org/show_bug.cgi?id=13870#c3 and so: OK for mga5-64
CC: (none) => jimWhiteboard: MGA5-32-OK => MGA5-64-OK
Restoring Herman's OK for mga5-32. It was removed somehow following the "mid-air collision"
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
This update is now validated The Advisory in comment#6 needs to be uploaded to SVN The packages can then be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory from Comment 6 SVN'd.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0382.html
Status: NEW => RESOLVEDResolution: (none) => FIXED