Fedora has issued an advisory today (August 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I2E3KU5UUQCI7TN3MCB6I6JI2EE7GR77/ We fixed this in groovy 1.8.x in Mageia 5 a long time ago (Bug 16393), but it looks like Fedora failed to add the fix to the groovy18 package. Our packages are synced with theirs, so we also probably need to fix this again in Mageia 6 and Cauldron.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO
Done for Cauldron and also Mageia 6!
Advisory: ======================== Updated groovy18 packages fix security vulnerability: When an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability (CVE-2015-3253). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253 http://groovy-lang.org/security.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I2E3KU5UUQCI7TN3MCB6I6JI2EE7GR77/ ======================== Updated packages in core/updates_testing: ======================== groovy18-1.8.9-26.2.mga6 groovy18-lib-1.8.9-26.2.mga6 groovy18-javadoc-1.8.9-26.2.mga6 from groovy18-1.8.9-26.2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: mageia => qa-bugsCC: (none) => mageiaVersion: Cauldron => 6
In VirtualBox, M6, Mate, 64-bit Package(s) under test: groovy18 groovy18-lib groovy18-javadoc default install of groovy18 groovy18-lib & groovy18-javadoc [root@localhost wilcal]# urpmi groovy18 Package groovy18-1.8.9-26.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-lib Package groovy18-lib-1.8.9-26.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-javadoc Package groovy18-javadoc-1.8.9-26.1.mga6.noarch is already installed All packages installed without error install groovy18 groovy18-lib & groovy18-javadoc from updates_testing [root@localhost wilcal]# urpmi groovy18 Package groovy18-1.8.9-26.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-lib Package groovy18-lib-1.8.9-26.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-javadoc Package groovy18-javadoc-1.8.9-26.2.mga6.noarch is already installed All packages updated without error
Whiteboard: (none) => MGA5-64-OKCC: (none) => wilcal.int
In VirtualBox, M6, Mate, 32-bit Package(s) under test: groovy18 groovy18-lib groovy18-javadoc default install of groovy18 groovy18-lib & groovy18-javadoc [root@localhost wilcal]# urpmi groovy18 Package groovy18-1.8.9-26.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-lib Package groovy18-lib-1.8.9-26.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-javadoc Package groovy18-javadoc-1.8.9-26.1.mga6.noarch is already installed All packages installed without error install groovy18 groovy18-lib & groovy18-javadoc from updates_testing [root@localhost wilcal]# urpmi groovy18 Package groovy18-1.8.9-26.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-lib Package groovy18-lib-1.8.9-26.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi groovy18-javadoc Package groovy18-javadoc-1.8.9-26.2.mga6.noarch is already installed All packages updated without error
Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK
I'm going to validate this in 24-hours unless someone can come up with a simple test procedure.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA6-32-OK MGA6-64-OK
Re comment 5. OK Bill. Looking back it seems I tested this, possibly on mga5 and found a tutorial and adapted some simple scripts to make sure groovy worked. I shall run the same basic tests and then you can go ahead. Thanks.
CC: (none) => tarazed25
mga6 x86_64 Installed the groovy18 packages from core/updates testing. Tried out a few totally trivial scripts adapted from examples at : https://www.pegasoft.ca/docs/groovy.html -------------------------------------------------------------------------------------- // File hello.gvy class Foo { int i = 2; void print_i( ) { println "The value of i is " + i; } } Foo f = new Foo( ); f.print_i( ); -------------------------------------------------------------------------------------- // File: hash.groovy applecart = [ "Bramley":11, "GrannySmith":22, "OrangePippin":28, "GoldenDelicious":15 ]; println "The applecart map looks like this: " + applecart; println "The class of the map is " + applecart.getClass( ); println "The size of the map is " + applecart.size( ); println "The size of an empty map is " + [:].size( ); grannysmiths = applecart['GrannySmith'] println "The number of Granny Smiths is $grannysmiths"; applecart["OrangePippin"] = 24; println "There are " + applecart["OrangePippin"] + " OrangePippins left"; println "Peaches there are " + applecart["peach"]; def fruit = applecart['Bramley'] if ( fruit ==~ /^[A-Z].*/ ) { println "Looks like these might be apples" } else { println "Cannot be apples" } -------------------------------------------------------------------------------------- // File closures.gvy // Closures def some_function = { 2 * 2 } println some_function println some_function() some_function = { 2 * it } // it is a parameter println some_function( 3 ) -------------------------------------------------------------------------------------- $ groovy hello.gvy The value of i is 2 $ groovy hash.groovy The applecart map looks like this: [Bramley:11, GrannySmith:22, OrangePippin:28, GoldenDelicious:15] The class of the map is class java.util.LinkedHashMap The size of the map is 4 The size of an empty map is 0 The number of Granny Smiths is 22 There are 24 OrangePippins left Peaches there are null Cannot be apples $ groovy closures.gvy closures$_run_closure1@d4342c2 4 6 These all look OK. The negative result of the regular expression check was the same in the tutorial. At this primitive level the software works.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA6-32-OK MGA6-64-OK => MGA6-32-OK MGA6-64-OK advisoryCC: (none) => lewyssmith
Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword.
Keywords: (none) => advisoryWhiteboard: MGA6-32-OK MGA6-64-OK advisory => MGA6-32-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0333.html
Status: NEW => RESOLVEDResolution: (none) => FIXED