23502 – axis new security issue CVE-2018-8032

Bug 23502 - axis new security issue CVE-2018-8032

Summary: axis new security issue CVE-2018-8032

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-08-29 20:54 CEST by David Walser
Modified:	2018-11-03 12:56 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	axis-1.4-34.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-29 20:54:12 CEST

Fedora has issued an advisory on August 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5PSL3445FAECTG4YYE7GBG6QIR75LAK/

Mageia 5 and Mageia 6 are also affected.

Comment 1 Marja Van Waes 2018-08-30 20:03:32 CEST

Assigning to the java stack maintainers, CC'ing the registered maintainer and a committer.

CC: (none) => geiger.david68210, mageia, marja11
Assignee: bugsquad => java

Comment 2 David Walser 2018-10-23 16:58:03 CEST

openSUSE has issued an advisory for this on October 18:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00103.html

Comment 3 David GEIGER 2018-10-24 08:01:36 CEST

axis on Cauldron can be removed nothing required it anymore now!

Comment 4 David Walser 2018-10-24 17:35:11 CEST

Thanks!  Added to task-obsolete in Cauldron (not pushed yet).

Version: Cauldron => 6

Comment 5 David GEIGER 2018-10-25 08:05:01 CEST

Fixed for mga6!

Comment 6 David Walser 2018-10-25 16:17:54 CEST

Advisory:
========================

Updated axis packages fix security vulnerability:

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting
(XSS) attack in the default servlet/services (CVE-2018-8032).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8032
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q5PSL3445FAECTG4YYE7GBG6QIR75LAK/
========================

Updated packages in core/updates_testing:
========================
axis-1.4-32.1.mga6
axis-javadoc-1.4-32.1.mga6
axis-manual-1.4-32.1.mga6

from axis-1.4-32.1.mga6.src.rpm

Assignee: java => qa-bugs

Comment 7 Herman Viaene 2018-10-30 13:20:12 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref to bug 14103 Comment 3 clean install is sufficient. OK with me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2018-11-02 14:46:03 CET

Validating. Advisory in comment 6.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 11:47:17 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2018-11-03 12:56:30 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0431.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.