SUSE has issued an advisory today (April 14): http://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html Mageia 7 is also affected.
URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2019-13990CVE: (none) => CVE-2019-13990CC: (none) => zombie_ryushu
not available in cauldron anymore
Version: Cauldron => 7CC: (none) => mageia
Fixed in mga7: src: - quartz-2.2.1-9.1.mga7
Assignee: java => qa-bugs
Advisory: ======================== Updated quartz packages fix security vulnerability: initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description (CVE-2019-13990). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990 https://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html ======================== Updated packages in core/updates_testing: ======================== quartz-2.2.1-9.1.mga7 quartz-javadoc-2.2.1-9.1.mga7 from quartz-2.2.1-9.1.mga7.src.rpm
No installation issues. Searched in vain for a previous update of quartz. Looked at the file list, saw a read.me, no help there. Lots of html files in quartz-javadoc, all developer-type stuff beyond ordinary QA testing. Description reads: Quartz is a job scheduling system that can be integrated with, or used along side virtually any J2EE or J2SE application. Quartz can be used to create simple or complex schedules for executing tens, hundreds, or even tens-of-thousands of jobs; jobs whose tasks are defined as standard Java components or EJBs. Sounds far too complex for QA. Since Comment 1 indicates this has been dropped from Mageia 8, I'm going to pass this along on a clean install. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
Advisory committed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0133.html
Status: NEW => RESOLVEDResolution: (none) => FIXED