Fedora has issued an advisory today (December 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/ The issue is fixed upstream in 3.12.0, but they patched 3.0.26. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOBlocks: (none) => 27750
Assigning to DavidG as having done the last significant update to this. CC'ing NicolasL as listed historically for the SRPM, in case!
Assignee: bugsquad => geiger.david68210CC: (none) => mageia
fixed for cauldron
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Advisory: ======================== Updated resteasy packages fix security vulnerability: A flaw was found in Resteasy, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed (CVE-2020-1695). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/ ======================== Updated packages in core/updates_testing: ======================== resteasy-3.0.26-2.mga7 resteasy-javadoc-3.0.26-2.mga7 resteasy-core-3.0.26-2.mga7 resteasy-atom-provider-3.0.26-2.mga7 resteasy-jackson2-provider-3.0.26-2.mga7 resteasy-jaxb-provider-3.0.26-2.mga7 resteasy-client-3.0.26-2.mga7 from resteasy-3.0.26-2.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
After reading about previous resteasy updates in bug 13870 and bug 19718, I saw that a clean install was deemed sufficient as a test, so... I installed resteasy from the repos. This drew in 119 dependencies, including all of the above packages except for resteasy-javadoc, so I followed up by installing that, too. I then used QA Repo to download the 7 packages from Comment 3, and updated them using MCC. There were no installation issues, so I am giving this an OK, and validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN.
CVE: (none) => CVE-2020-1695Source RPM: resteasy-3.0.26-1.mga8.src.rpm => resteasy-3.0.19-2.mga7.src.rpmCC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0039.html
Status: NEW => RESOLVEDResolution: (none) => FIXED