26481 – quartz new security issue CVE-2019-13990

Bug 26481 - quartz new security issue CVE-2019-13990

Summary: quartz new security issue CVE-2019-13990

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-04-14 22:29 CEST by David Walser
Modified:	2021-03-14 22:22 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	quartz-2.2.1-10.mga8.src.rpm
CVE:	CVE-2019-13990
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-14 22:29:33 CEST

SUSE has issued an advisory today (April 14):
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html

Mageia 7 is also affected.

Zombie Ryushu 2020-12-19 19:58:36 CET

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2019-13990
CVE: (none) => CVE-2019-13990
CC: (none) => zombie_ryushu

Comment 1 Nicolas Lécureuil 2020-12-27 15:42:32 CET

not available in cauldron anymore

Version: Cauldron => 7
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-03-10 07:58:11 CET

Fixed in mga7:

    src:
         - quartz-2.2.1-9.1.mga7

Assignee: java => qa-bugs

Comment 3 David Walser 2021-03-10 18:21:20 CET

Advisory:
========================

Updated quartz packages fix security vulnerability:

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz
Scheduler through 2.3.0 allows XXE attacks via a job description
(CVE-2019-13990).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990
https://lists.suse.com/pipermail/sle-security-updates/2020-April/006708.html
========================

Updated packages in core/updates_testing:
========================
quartz-2.2.1-9.1.mga7
quartz-javadoc-2.2.1-9.1.mga7

from quartz-2.2.1-9.1.mga7.src.rpm

Comment 4 Thomas Andrews 2021-03-11 23:06:50 CET

No installation issues.

Searched in vain for a previous update of quartz. Looked at the file list, saw a read.me, no help there. Lots of html files in quartz-javadoc, all developer-type stuff beyond ordinary QA testing. Description reads:

Quartz is a job scheduling system that can be integrated with, or used along side virtually any J2EE or J2SE application. Quartz can be used to create simple or complex schedules for executing tens, hundreds, or even tens-of-thousands of jobs; jobs whose tasks are defined as standard Java components or EJBs.

Sounds far too complex for QA. Since Comment 1 indicates this has been dropped from Mageia 8, I'm going to pass this along on a clean install. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-03-14 17:19:18 CET

Advisory committed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-03-14 22:22:19 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0133.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.