A security issue in Apache xmlrpc has been announced today (January 16): https://www.openwall.com/lists/oss-security/2020/01/16/1 It doesn't sound like there's a fix available yet. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
A PoC is available: https://www.openwall.com/lists/oss-security/2020/01/24/2
RedHat has issued an advisory for this on January 30: https://access.redhat.com/errata/RHSA-2020:0310 Patch attached to the bug: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
Status comment: (none) => Patch available from RedHat
Debian-LTS has issued an advisory for this today (January 30): https://www.debian.org/lts/security/2020/dla-2078
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated xmlrpc packages fix security vulnerability: A flaw was discovered where the XMLRPC client implementation in Apache XMLRPC, performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library (CVE-2019-17570). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17570 https://access.redhat.com/errata/RHSA-2020:0310 ======================== Updated packages in core/updates_testing: ======================== xmlrpc-javadoc-3.1.3-73.1.mga7 xmlrpc-common-3.1.3-73.1.mga7 xmlrpc-client-3.1.3-73.1.mga7 xmlrpc-server-3.1.3-73.1.mga7 from xmlrpc-3.1.3-73.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: java => qa-bugsStatus comment: Patch available from RedHat => (none)Version: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues. On the authority as expressed in bug 23105, OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0077.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED