openSUSE has issued an advisory on September 3: https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html The issue is fixed upstream in 1.9.4.
CC: (none) => geiger.david68210
Done updating to 1.9.4 release! Also note that I have to rebuild apache-commons-collections to regenerate OSGi metadata and to make it build.
Advisory: ======================== Updated apache-commons-beanutils packages fix security vulnerability: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean (CVE-2019-10086). Also, the apache-commons-collections package has been rebuilt to regenerate the OSGi metadata, to allow the apache-commons-beanutils package to build. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086 https://lists.opensuse.org/opensuse-updates/2019-09/msg00017.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-collections-3.2.2-7.1.mga7 apache-commons-collections-testframework-3.2.2-7.1.mga7 apache-commons-collections-javadoc-3.2.2-7.1.mga7 apache-commons-beanutils-1.9.4-1.mga7 apache-commons-beanutils-javadoc-1.9.4-1.mga7 from SRPMS: apache-commons-collections-3.2.2-7.1.mga7.src.rpm apache-commons-beanutils-1.9.4-1.mga7.src.rpm
Assignee: java => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. httpd was not running before installation. After installation: # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2019-12-17 09:44:54 CET; 4s ago Main PID: 32109 (httpd) Status: "Processing requests..." Memory: 12.4M CGroup: /system.slice/httpd.service ├─32109 /usr/sbin/httpd -DFOREGROUND ├─32111 /usr/sbin/httpd -DFOREGROUND ├─32112 /usr/sbin/httpd -DFOREGROUND ├─32113 /usr/sbin/httpd -DFOREGROUND ├─32115 /usr/sbin/httpd -DFOREGROUND └─32116 /usr/sbin/httpd -DFOREGROUND dec 17 09:44:54 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server... dec 17 09:44:54 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server. I have no idea for further tests, no previous updates found.
CC: (none) => herman.viaene
This package has nothing to do with Apache. It's Java stuff. Just test that it updates cleanly and that's sufficient.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0399.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED