Bug 28440 - xmlgraphics-commons new security issue CVE-2020-11988
Summary: xmlgraphics-commons new security issue CVE-2020-11988
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-25 21:29 CET by David Walser
Modified: 2021-05-29 20:29 CEST (History)
4 users (show)

See Also:
Source RPM: xmlgraphics-commons-2.3-2.mga8.src.rpm
CVE: CVE-2020-11988
Status comment:


Attachments

Description David Walser 2021-02-25 21:29:45 CET
Apache has issued an advisory on February 24:
https://www.openwall.com/lists/oss-security/2021/02/24/1

The issue is fixed upstream in 2.6.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-25 21:30:01 CET

Status comment: (none) => Fixed upstream in 2.6
Assignee: bugsquad => java
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Lécureuil 2021-02-28 19:22:51 CET
fixed  packages for mga7/8:

src:
    - xmlgraphics-commons-2.6-1.mga7
    - xmlgraphics-commons-2.6-1.mga8

CC: (none) => mageia
Assignee: java => qa-bugs

Aurelien Oudelet 2021-02-28 22:43:36 CET

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-11988
Status comment: Fixed upstream in 2.6 => (none)

Comment 2 David Walser 2021-03-01 17:45:46 CET
Package list:
xmlgraphics-commons-2.6-1.mga7
xmlgraphics-commons-javadoc-2.6-1.mga7
xmlgraphics-commons-2.6-1.mga8
xmlgraphics-commons-javadoc-2.6-1.mga8
Comment 3 David Walser 2021-03-03 01:33:29 CET
Advisory:
========================

Updated xmlgraphics-commons packages fix security vulnerability:

The Apache XML Graphics Commons library is vulnerable to SSRF via the XMPParser
that allow an attacker to cause the underlying server to make arbitrary GET
requests (CVE-2020-11988).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
https://www.openwall.com/lists/oss-security/2021/02/24/1
http://xmlgraphics.apache.org/security.html
Comment 4 Herman Viaene 2021-03-08 16:06:21 CET
MGA7-64 MATE on Peaq C1011
No installation issues
Searched for some easy example, but none to my liking. This is java developer stuff.
OK on clean install??

CC: (none) => herman.viaene

Comment 5 David Walser 2021-03-08 16:07:55 CET
Yes, install and update from the existing packages, as usual.
Herman Viaene 2021-03-08 16:23:00 CET

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 6 Aurelien Oudelet 2021-03-17 18:26:01 CET
MGA8-64 Plasma
No installation issue on existing version.

Looks OK.
Validating
Advisory pushed to SVN.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Mageia Robot 2021-03-18 10:57:35 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2021-05-29 20:29:39 CEST
Fedora has issued an advisory for this on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/

Note You need to log in before you can comment on or make changes to this bug.