Fedora has issued an advisory on October 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/ The issue is fixed upstream in 4.6.2, already in Cauldron and referencing this CVE in the commit message without filing a bug!
Done for mga7!
Advisory: ======================== Updated jss packages fix security vulnerability: A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle (CVE-2019-14823). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14823 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/ ======================== Updated packages in core/updates_testing: ======================== jss-4.6.2-1.mga7 jss-javadoc-4.6.2-1.mga7 from jss-4.6.2-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
MGA7-64 Plasma on Lenovo B50 No installation issues Tried to find a usefull test # urpmq --whatrequires jss idm-console-framework jss jss-javadoc ldapjdk so installed idm-console-framework, but any jar I tried like: java -jar /usr/share/java/idm-console-mcc.jar gives no main manifest attribute, in /usr/share/java/idm-console-mcc.jar Giving up, java stuff to OK on clean install?
CC: (none) => herman.viaene
Clean upgrade is sufficient.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0018.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED