Bug 28681 - velocity new security issue CVE-2020-13936
Summary: velocity new security issue CVE-2020-13936
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-03-30 23:22 CEST by David Walser
Modified: 2021-05-28 00:30 CEST (History)
4 users (show)

See Also:
Source RPM: velocity-1.7-33.mga8.src.rpm
CVE: CVE-2020-13936
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-03-30 23:22:03 CEST 
Apache has issued an advisory on March 9:
https://www.openwall.com/lists/oss-security/2021/03/10/1

The issue is fixed upstream in 2.3.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-03-30 23:22:16 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 2.3

Comment 1 Nicolas Lécureuil 2021-04-03 00:16:13 CEST 
fixed in cauldron.

Patch added in mga7/8:

   src:
    - velocity-1.7-22.1.mga7
    - velocity-1.7-33.1.mga8

Status comment: Fixed upstream in 2.3 => (none)
Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: java => qa-bugs

Comment 2 David Walser 2021-04-04 17:47:29 CEST 
Advisory:
========================

Updated velocity packages fix security vulnerability:

An attacker that is able to modify Velocity templates may execute arbitrary
Java code or run arbitrary system commands with the same privileges as the
account running the Servlet container.  This applies to applications that allow
untrusted users to upload/modify velocity templates running Apache Velocity
Engine versions up to 2.2 (CVE-2020-13936).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936
https://www.openwall.com/lists/oss-security/2021/03/10/1
========================

Updated packages in core/updates_testing:
========================
velocity-1.7-22.1.mga7
velocity-manual-1.7-22.1.mga7
velocity-javadoc-1.7-22.1.mga7
velocity-demo-1.7-22.1.mga7
velocity-1.7-33.1.mga8
velocity-demo-1.7-33.1.mga8
velocity-javadoc-1.7-33.1.mga8
velocity-manual-1.7-33.1.mga8

from SRPMS:
velocity-1.7-22.1.mga7.src.rpm
velocity-1.7-33.1.mga8.src.rpm
Comment 3 Thomas Andrews 2021-04-08 01:02:48 CEST 
Installed the four velocity rpms and two dependencies in vbox mga7 and mga8 guests, then updated them. No installation issues.

Looked for a past update, found nothing. Read some of the manual, but soon got very lost, as I know nothing of using java. Tried a couple of the elementary scripts from velocity-demo that were supposed to be pre-compiled, but they threw errors obviously caused by my lack of basic relevant skills.

So, I'm going to pass this along with a clean install for both mga7 and mga8.

Validating. Advisory in Comment 2.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-04-12 16:24:26 CEST

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-13936
Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-04-12 22:02:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2021-05-28 00:30:17 CEST 
Debian-LTS has issued an advisory for this on March 17:
https://www.debian.org/lts/security/2021/dla-2595
Note You need to log in before you can comment on or make changes to this bug.