Upstream has issued an advisory today (January 14): http://openwall.com/lists/oss-security/2017/01/14/3 The issue is fixed upstream in 2.4.8. Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
Fixed on Cauldron! But for mga5 with our current groovy-1.8.9 seems that this CVE is not needed, it says: * Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3 And patch for CVE-2016-6814 conflicts with another/older patch: CVE-2015-3253 (already applied).
Thanks for the fix in Cauldron. For Mageia 5, I believe they were saying that versions 1.7.0 to 2.4.3 (which includes 1.8.9) *are* affected, but they're not supported, so they're not releasing fixes for those. Hopefully RedHat or someone will backport it if we can't.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Fedora has issued an advisory for this on January 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GLUK73YU2ETK7USTPIIC4YQT3BYKGEOB/
URL: (none) => https://lwn.net/Vulnerabilities/712297/
RedHat has issued an advisory for this today (August 17): https://access.redhat.com/errata/RHSA-2017:2486
groovy 1.8.9 is definitely affected, as Fedora is now issuing advisories for it. Fedora has issued an advisory on August 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A5FSJEOEIYPZDGJRMEPJPMUMDN4MQQJI/ Unfortunately we also have this packaged in Mageia 6 as groovy18.
Version: 5 => CauldronSummary: groovy new security issue CVE-2016-6814 => groovy and groovy18 new security issue CVE-2016-6814Whiteboard: (none) => MGA6TOO, MGA5TOO
pushed in updates_testing src.rpm: groovy18-1.8.9-26.1.mga6 groovy-1.8.9-5.2.mga5
Assignee: mageia => qa-bugs
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => mageia
Only Cauldron built successfully.
Assignee: qa-bugs => mageia
Updated packages for Mageia 5: groovy-1.8.9-5.2.mga5 groovy-lib-1.8.9-5.2.mga5 groovy-javadoc-1.8.9-5.2.mga5 from groovy-1.8.9-5.2.mga5.src.rpm The Mageia 6 build doesn't appear to be going anywhere...
Whiteboard: MGA5TOO => MGA5TOO feedback
mga6 build is finished too
Advisory: ======================== Updated groovy and groovy18 package fixes security vulnerability: It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability (CVE-2016-6814). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GLUK73YU2ETK7USTPIIC4YQT3BYKGEOB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A5FSJEOEIYPZDGJRMEPJPMUMDN4MQQJI/ ======================== Updated packages in core/updates_testing: ======================== groovy-1.8.9-5.2.mga5 groovy-lib-1.8.9-5.2.mga5 groovy-javadoc-1.8.9-5.2.mga5 groovy18-1.8.9-26.1.mga6 groovy18-lib-1.8.9-26.1.mga6 groovy18-javadoc-1.8.9-26.1.mga6 from SRPMS: groovy-1.8.9-5.2.mga5.src.rpm groovy18-1.8.9-26.1.mga6.src.rpm
Whiteboard: MGA5TOO feedback => MGA5TOO
mga6 x86_64 I have not been able to figure out any way to connect this with Apache or deserialization or anything and there are no reproducers available so all we can do is ensure that the language still works at the commandline level. Installed the groovy18 packages from core/updates testing. Tutorial at https://www.pegasoft.ca/docs/groovy.html Tried out a few totally trivial scripts: -------------------------------------------------------------------------------------- // File hello.gvy class Foo { int i = 2; void print_i( ) { println "The value of i is " + i; } } Foo f = new Foo( ); f.print_i( ); -------------------------------------------------------------------------------------- // File: hash.groovy applecart = [ "Bramley":11, "GrannySmith":22, "OrangePippin":28, "GoldenDelicious":15 ]; println "The applecart map looks like this: " + applecart; println "The class of the map is " + applecart.getClass( ); println "The size of the map is " + applecart.size( ); println "The size of an empty map is " + [:].size( ); grannysmiths = applecart['GrannySmith'] println "The number of Granny Smiths is $grannysmiths"; applecart["OrangePippin"] = 24; println "There are " + applecart["OrangePippin"] + " OrangePippins left"; println "Peaches there are " + applecart["peach"]; def fruit = applecart['Bramley'] if ( fruit ==~ /^[A-Z].*/ ) { println "Looks like these might be apples" } else { println "Cannot be apples" } -------------------------------------------------------------------------------------- // File closures.gvy // Closures def some_function = { 2 * 2 } println some_function println some_function() some_function = { 2 * it } // it is a parameter println some_function( 3 ) -------------------------------------------------------------------------------------- $ groovy hello.gvy The value of i is 2 $ groovy hash.groovy The applecart map looks like this: [Bramley:11, GrannySmith:22, OrangePippin:28, GoldenDelicious:15] The class of the map is class java.util.LinkedHashMap The size of the map is 4 The size of an empty map is 0 The number of Granny Smiths is 22 There are 24 OrangePippins left Peaches there are null Cannot be apples $ groovy closures.gvy closures$_run_closure1@d4342c2 4 6 These all look OK although the negative result of the regular expression check gives cause for concern. That was the same in the tutorial. At this primitive level the software works.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
mga5 x86_64 Installed the updates then tested the set of short scripts that were reported in comment 11. All three yielded the same results but also complained about the java setup, which should be ignored. "/usr/bin/build-classpath: Could not find jsp Java extension for this JVM /usr/bin/build-classpath: error: Some specified jars were not found" Giving this a pass.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Advisory from Comment 10. Also validating, tested both releases.
CC: (none) => lewyssmithWhiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0311.html
Status: NEW => RESOLVEDResolution: (none) => FIXED