RedHat has issued an advisory on May 31:
Mageia 5 and Mageia 6 are also affected.
Fedora has issued an advisory for this on June 2:
There was also another CVE.
xmlrpc new security issue CVE-2016-5003 =>
xmlrpc new security issues CVE-2016-500Status comment:
Patches available from Fedora
Fixed in xmlrpc-3.1.3-73.mga7 in Cauldron.
Updated xmlrpc packages fix security vulnerabilities:
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc)
library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct
server-side request forgery (SSRF) attacks via a crafted DTD (CVE-2016-5002).
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that
deserializes untrusted data when enabledForExtensions setting is enabled. A
remote attacker could use this vulnerability to execute arbitrary code via a
crafted serialized Java object in a <ex:serializable> element (CVE-2016-5003).
Updated packages in core/updates_testing:
Could not find anything useful for QA testing in the CVE links.
Have no idea how to start the|a client or server or what ws-xmlrpc means.
Handing this one over to whomsoever.
$ locate xmlrpc-client
$ locate xmlrpc | grep jar
# java -jar /usr/share/java/xmlrpc-client.jar
no main manifest attribute, in /usr/share/java/xmlrpc-client.jar
Just a clean update will do.
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, so according Comment 5, it's OK.
Just for the curious, I found a "simple" example at https://www.tutorialspoint.com/xml-rpc/xml_rpc_examples.htm
but that over my head, someone else more educated in java might find it interesting enough.
(In reply to David Walser from comment #5)
> Just a clean update will do.
On M6/6 did just that; unsure exactly what Len & Herman had done.
BEFORE update, installed:
The UPDATE was seamless:
Validating; advisory from comment 3.
An update for this issue has been pushed to the Mageia Updates repository.