openSUSE has issued an advisory on September 28: https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html The issue is fixed upstream in 2.1.1. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer. Also CC'ing some committers.
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11, pterjan
Upstream patch applies to 2.0.0, but package doesn't build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190203011009.luigiwalser.duvel.37065/log/dom4j-2.0.0-4.mga7/build.0.20190203011109.log All but one hunk of openSUSE patch applies to Mageia 6 version if you run dos2unix on the Java files, so it should be fixable there.
Status comment: (none) => Fixed upstream in 2.1.1
Fixed for Cauldron!
Now fixed for mga6!
Thanks David! Advisory: ======================== Updated dom4j packages fix security vulnerability: dom4j version prior to version 2.1.1 contains an XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appears to be exploitable via an attacker specifying attributes or elements in the XML document (CVE-2018-1000632). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632 https://lists.opensuse.org/opensuse-updates/2018-09/msg00174.html ======================== Updated packages in core/updates_testing: ======================== dom4j-1.6.1-28.1.mga6 dom4j-demo-1.6.1-28.1.mga6 dom4j-manual-1.6.1-28.1.mga6 dom4j-javadoc-1.6.1-28.1.mga6 from dom4j-1.6.1-28.1.mga6.src.rpm
Assignee: mageia => qa-bugsStatus comment: Fixed upstream in 2.1.1 => (none)Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Trying to find some example of usage, but I keep running into problems. I guess some more java stuff is needed to compile one of those, I keep getting errors like: $ javac dom4j.java dom4j.java:7: error: class Foo is public, should be declared in a file named Foo.java public class Foo { ^ dom4j.java:3: error: package org.dom4j does not exist import org.dom4j.Document; ^ dom4j.java:4: error: package org.dom4j does not exist import org.dom4j.DocumentException; At least it installs cleanly.
CC: (none) => herman.viaene
Clean upgrades are a sufficient test for Java stack packages.
Whiteboard: (none) => MGA6-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0077.html
Status: NEW => RESOLVEDResolution: (none) => FIXED