RedHat has issued an advisory today (October 22): https://access.redhat.com/errata/RHSA-2019:3172 The issue is fixed upstream in 2.0.3 and 2.1.1, according to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1620529 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.0.3
Debian-LTS has issued an advisory on May 1: https://www.debian.org/lts/security/2020/dla-2191 The issue is fixed upstream in 2.0.3 and 2.1.3, according to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1694235 The SUSE bug has links to upstream commits that fixed the issue: https://bugzilla.suse.com/show_bug.cgi?id=1169760
Summary: dom4j new security issue CVE-2018-1000632 => dom4j new security issues CVE-2018-1000632 and CVE-2020-10683
Ubuntu has issued an advisory for this first issue today (November 5): https://ubuntu.com/security/notices/USN-4619-1
CVE: (none) => CVE-2020-10683CC: (none) => zombie_ryushu
Fixed in dom4j-2.0.0-6.mga8.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Status comment: Fixed upstream in 2.0.3 => Fixed upstream in 2.0.3, patches in Cauldron
fixed in mga7 src: dom4j-2.0.0-4.1.mga7
CC: (none) => mageiaAssignee: java => qa-bugs
CVE-2018-1000632 was already patched before Mageia 7. Advisory: ======================== Updated dom4j packages fix security vulnerability: A flaw was found in the dom4j library. By using the default SaxReader() provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE (CVE-2020-10683). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683 https://www.debian.org/lts/security/2020/dla-2191 ======================== Updated packages in core/updates_testing: ======================== dom4j-2.0.0-4.1.mga7 dom4j-javadoc-2.0.0-4.1.mga7 from dom4j-2.0.0-4.1.mga7.src.rpm
Status comment: Fixed upstream in 2.0.3, patches in Cauldron => (none)
From Wikipedia: "dom4j is an open-source Java library for working with XML, XPath and XSLT. It is compatible with DOM, SAX and JAXP standards." This sounds like developer stuff, and beyond the scope of QA. Passing this on the basis of a clean install. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
No installation issues. Reaching all the way back to Bug 13326 for a testing procedure... (Thank you, Claire!) $ python Python 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from lxml.html.clean import clean_html >>> >>> html = '''\ ... <html> ... <body> ... <a href="javascript:alert(0)"> ... aaa</a> ... <a href="javas\x01cript:alert(1)">bbb</a> ... <a href="javas\x02cript:alert(1)">bbb</a> ... <a href="javas\x03cript:alert(1)">bbb</a> ... <a href="javas\x04cript:alert(1)">bbb</a> ... <a href="javas\x05cript:alert(1)">bbb</a> ... <a href="javas\x06cript:alert(1)">bbb</a> ... <a href="javas\x07cript:alert(1)">bbb</a> ... <a href="javas\x08cript:alert(1)">bbb</a> ... <a href="javas\x09cript:alert(1)">bbb</a> ... </body> ... </html>''' >>> >>> print clean_html(html) <div> <body> <a href=""> aaa</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> </body> </div> This result is the same as that in Bug 13326, so I'm passing this on. Validating. Advisory in Comment 5.
oops. Comment 7 is for another bug.
Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0034.html
Status: NEW => RESOLVEDResolution: (none) => FIXED