Bug 25765 - apache-commons-beanutils new security issue CVE-2019-10086
Summary: apache-commons-beanutils new security issue CVE-2019-10086
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-26 22:07 CET by David Walser
Modified: 2019-11-27 18:38 CET (History)
1 user (show)

See Also:
Source RPM: apache-commons-beanutils-1.9.3-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-11-26 22:07:01 CET
openSUSE has issued an advisory on September 3:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html

The issue is fixed upstream in 1.9.4.
David Walser 2019-11-26 22:07:11 CET

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2019-11-27 14:40:51 CET
Done updating to 1.9.4 release!

Also note that I have to rebuild apache-commons-collections to regenerate OSGi metadata and to make it build.
Comment 2 David Walser 2019-11-27 18:38:25 CET
Advisory:
========================

Updated apache-commons-beanutils packages fix security vulnerability:

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not
using this by default characteristic of the PropertyUtilsBean (CVE-2019-10086).

Also, the apache-commons-collections package has been rebuilt to regenerate the
OSGi metadata, to allow the apache-commons-beanutils package to build.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html
========================

Updated packages in core/updates_testing:
========================
apache-commons-collections-3.2.2-7.1.mga7
apache-commons-collections-testframework-3.2.2-7.1.mga7
apache-commons-collections-javadoc-3.2.2-7.1.mga7
apache-commons-beanutils-1.9.4-1.mga7
apache-commons-beanutils-javadoc-1.9.4-1.mga7

from SRPMS:
apache-commons-collections-3.2.2-7.1.mga7.src.rpm
apache-commons-beanutils-1.9.4-1.mga7.src.rpm

Assignee: java => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.