Debian-LTS has issued an advisory on August 15: https://www.debian.org/lts/security/2020/dla-2326 The issue is fixed upstream in 2.37.0. Debian has a patch. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Ubuntu has issued an advisory for this on October 15: https://ubuntu.com/security/notices/USN-4584-1 The package has (mercifully) been removed from Cauldron.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
*** Bug 27772 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Status comment: (none) => Patch available from Debian and Ubuntu
Patch added in mga7: src: - htmlunit-2.23-2.1.mga7
CC: (none) => mageiaAssignee: java => qa-bugsStatus comment: Patch available from Debian and Ubuntu => (none)
RPMs: htmlunit-2.23-2.1.mga7 htmlunit-javadoc-2.23-2.1.mga7
Advisory: ======================== Updated htmlunit packages fix security vulnerability: It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code (CVE-2020-5529). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5529 https://ubuntu.com/security/notices/USN-4584-1
This worked MGA7-64bit Java 8 here is the code. Note this takes an incredible number of dependent jars to work. Note I used Eclipse The code ---- package htmlTest; import com.gargoylesoftware.htmlunit.BrowserVersion; import com.gargoylesoftware.htmlunit.NicelyResynchronizingAjaxController; import com.gargoylesoftware.htmlunit.SilentCssErrorHandler; import com.gargoylesoftware.htmlunit.WebClient; import com.gargoylesoftware.htmlunit.html.HtmlPage; import java.io.IOException; public class mageiaPage { public static void main(String[] args) throws Exception { WebClient webClient = new WebClient(BrowserVersion.getDefault()); // webClient.setCssErrorHandler(new SilentCssErrorHandler()); webClient.setAjaxController(new NicelyResynchronizingAjaxController()); webClient.getOptions().setCssEnabled(true); webClient.getOptions().setRedirectEnabled(true); webClient.getOptions().setAppletEnabled(true); webClient.getOptions().setJavaScriptEnabled(false); webClient.getOptions().setPopupBlockerEnabled(true); webClient.getOptions().setTimeout(10000); HtmlPage page = webClient.getPage("https://mageia.org"); System.out.println(page.asXml()); webClient.close(); } } ----- I ran it through Eclipse after an hour of stackexchanging and adding external jars. Very cool utility though. Output is XML
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0148.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED