RedHat has issued an advisory on May 31: https://access.redhat.com/errata/RHSA-2018:1780 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Fedora has issued an advisory for this on June 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/ There was also another CVE.
Summary: xmlrpc new security issue CVE-2016-5003 => xmlrpc new security issues CVE-2016-500[23]Status comment: (none) => Patches available from Fedora
Fixed in xmlrpc-3.1.3-73.mga7 in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Advisory: ======================== Updated xmlrpc packages fix security vulnerabilities: XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD (CVE-2016-5002). A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a <ex:serializable> element (CVE-2016-5003). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5003 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/ ======================== Updated packages in core/updates_testing: ======================== xmlrpc-javadoc-3.1.3-70.1.mga6 xmlrpc-common-3.1.3-70.1.mga6 xmlrpc-client-3.1.3-70.1.mga6 xmlrpc-server-3.1.3-70.1.mga6 from xmlrpc-3.1.3-70.1.mga6.src.rpm
Assignee: java => qa-bugs
Could not find anything useful for QA testing in the CVE links. Have no idea how to start the|a client or server or what ws-xmlrpc means. Handing this one over to whomsoever. $ locate xmlrpc-client /usr/share/java/xmlrpc-client.jar /usr/share/maven-metadata/xmlrpc-xmlrpc-client.xml /usr/share/maven-poms/xmlrpc-client.pom $ locate xmlrpc | grep jar /usr/share/java/xmlrpc-client.jar /usr/share/java/xmlrpc-common.jar /usr/share/java/xmlrpc-server.jar /usr/share/java/pycharm-community/lib/xmlrpc-2.0.1.jar # java -jar /usr/share/java/xmlrpc-client.jar no main manifest attribute, in /usr/share/java/xmlrpc-client.jar
CC: (none) => tarazed25
Just a clean update will do.
MGA6-32 MATE on IBM Thinkpad R50e No installation issues, so according Comment 5, it's OK. Just for the curious, I found a "simple" example at https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm but that over my head, someone else more educated in java might find it interesting enough.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
(In reply to David Walser from comment #5) > Just a clean update will do. On M6/6 did just that; unsure exactly what Len & Herman had done. BEFORE update, installed: xmlrpc-server-3.1.3-70.mga6 xmlrpc-client-3.1.3-70.mga6 xmlrpc-javadoc-3.1.3-70.mga6 xmlrpc-common-3.1.3-70.mga6 The UPDATE was seamless: xmlrpc-server-3.1.3-70.1.mga6 xmlrpc-client-3.1.3-70.1.mga6 xmlrpc-javadoc-3.1.3-70.1.mga6 xmlrpc-common-3.1.3-70.1.mga6 Validating; advisory from comment 3.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0002.html
Status: NEW => RESOLVEDResolution: (none) => FIXED