A security issue in the Apache HttpClient has been announced on October 8: https://www.openwall.com/lists/oss-security/2020/10/08/4 The issue is fixed upstream in 4.5.12. Also likely affected is the old jakarta-commons-httpclient which should have been dropped a long time ago (see Bug 18700). Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Debian-LTS has issued an advisory for this on October 10: https://www.debian.org/lts/security/2020/dla-2405
Debian has issued an advisory for this on October 14: https://www.debian.org/security/2020/dsa-4772
Fix pushed in mageia cauldron
Whiteboard: MGA7TOO => (none)CC: (none) => mageiaVersion: Cauldron => 7
fix pushed in maga7: src: httpcomponents-client-4.5.5-1.1.mga7
Assignee: java => qa-bugs
Saving advisory, but assigning back to Java team for jakarta-commons-httpclient which hasn't been fixed (Mageia 7) and dropped (Cauldron) yet. Advisory: ======================== Updated httpcomponents-client packages fix security vulnerability: Priyank Nigam discovered that HttpComponents Client could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution (CVE-2020-13956). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956 https://www.debian.org/security/2020/dsa-4772 ======================== Updated packages in core/updates_testing: ======================== httpcomponents-client-4.5.5-1.1.mga7 httpcomponents-client-cache-4.5.5-1.1.mga7 httpcomponents-client-javadoc-4.5.5-1.1.mga7 from httpcomponents-client-4.5.5-1.1.mga7.src.rpm
Whiteboard: (none) => MGA7TOOAssignee: qa-bugs => javaVersion: 7 => Cauldron
Status comment: (none) => jakarta-commons-httpclient also needs to be addressed
i don't think jakarta-commons-httpclient is affected. We don't plan to drop jakarta-commons-httpclient yet.
(In reply to Nicolas Lécureuil from comment #6) > i don't think jakarta-commons-httpclient is affected. Do you have any basis for that? They are based on the same code. See Bug 13932 and Bug 16870, for instance. > We don't plan to drop jakarta-commons-httpclient yet. It should have been dropped a long time ago, but I know Fedora needs to help us with that.
there is still fop using it, we need to get rid of this package in fop first. if time allows we can work on it
i remove the deps from fop
jakarta-commons-httpclient is not in cauldron anymore
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
(In reply to Nicolas Lécureuil from comment #10) > jakarta-commons-httpclient is not in cauldron anymore Thanks. Please see my note in the other bug: https://bugs.mageia.org/show_bug.cgi?id=18700#c7
Doesn't look like jakarta-commons-httpclient contains the affected code. Advisory in Comment 5.
Status comment: jakarta-commons-httpclient also needs to be addressed => (none)Assignee: java => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 16870 for decision to OK on clean install.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CVE: (none) => CVE-2020-13956Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0314.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED