Bug 27794 - resteasy new security issue CVE-2020-1695
Summary: resteasy new security issue CVE-2020-1695
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 27750
  Show dependency treegraph
 
Reported: 2020-12-09 23:55 CET by David Walser
Modified: 2021-01-17 17:08 CET (History)
5 users (show)

See Also:
Source RPM: resteasy-3.0.19-2.mga7.src.rpm
CVE: CVE-2020-1695
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-09 23:55:42 CET 
Fedora has issued an advisory today (December 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/

The issue is fixed upstream in 3.12.0, but they patched 3.0.26.

Mageia 7 is also affected.
David Walser 2020-12-09 23:55:52 CET

Whiteboard: (none) => MGA7TOO
Blocks: (none) => 27750

Comment 1 Lewis Smith 2020-12-10 19:51:53 CET 
Assigning to DavidG as having done the last significant update to this.
CC'ing NicolasL as listed historically for the SRPM, in case!

Assignee: bugsquad => geiger.david68210
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2020-12-25 23:28:02 CET 
fixed for cauldron

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-12-26 16:43:01 CET 
Advisory:
========================

Updated resteasy packages fix security vulnerability:
 	
A flaw was found in Resteasy, where an improper input validation results in
returning an illegal header that integrates into the server's response. This
flaw may result in an injection, which leads to unexpected behavior when the
HTTP response is constructed (CVE-2020-1695).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/
========================

Updated packages in core/updates_testing:
========================
resteasy-3.0.26-2.mga7
resteasy-javadoc-3.0.26-2.mga7
resteasy-core-3.0.26-2.mga7
resteasy-atom-provider-3.0.26-2.mga7
resteasy-jackson2-provider-3.0.26-2.mga7
resteasy-jaxb-provider-3.0.26-2.mga7
resteasy-client-3.0.26-2.mga7

from resteasy-3.0.26-2.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 4 Thomas Andrews 2021-01-13 20:11:19 CET 
After reading about previous resteasy updates in bug 13870 and bug 19718, I saw that a clean install was deemed sufficient as a test, so...

I installed resteasy from the repos. This drew in 119 dependencies, including all of the above packages except for resteasy-javadoc, so I followed up by installing that, too.

I then used QA Repo to download the 7 packages from Comment 3, and updated them using MCC. There were no installation issues, so I am giving this an OK, and validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-01-17 15:10:12 CET 
Advisory pushed to SVN.

CVE: (none) => CVE-2020-1695
Source RPM: resteasy-3.0.26-1.mga8.src.rpm => resteasy-3.0.19-2.mga7.src.rpm
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-01-17 17:08:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.