Apache has issued an advisory on March 9: https://www.openwall.com/lists/oss-security/2021/03/10/1 The issue is fixed upstream in 2.3. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 2.3
fixed in cauldron. Patch added in mga7/8: src: - velocity-1.7-22.1.mga7 - velocity-1.7-33.1.mga8
Status comment: Fixed upstream in 2.3 => (none)Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: java => qa-bugs
Advisory: ======================== Updated velocity packages fix security vulnerability: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2 (CVE-2020-13936). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936 https://www.openwall.com/lists/oss-security/2021/03/10/1 ======================== Updated packages in core/updates_testing: ======================== velocity-1.7-22.1.mga7 velocity-manual-1.7-22.1.mga7 velocity-javadoc-1.7-22.1.mga7 velocity-demo-1.7-22.1.mga7 velocity-1.7-33.1.mga8 velocity-demo-1.7-33.1.mga8 velocity-javadoc-1.7-33.1.mga8 velocity-manual-1.7-33.1.mga8 from SRPMS: velocity-1.7-22.1.mga7.src.rpm velocity-1.7-33.1.mga8.src.rpm
Installed the four velocity rpms and two dependencies in vbox mga7 and mga8 guests, then updated them. No installation issues. Looked for a past update, found nothing. Read some of the manual, but soon got very lost, as I know nothing of using java. Tried a couple of the elementary scripts from velocity-demo that were supposed to be pre-compiled, but they threw errors obviously caused by my lack of basic relevant skills. So, I'm going to pass this along with a clean install for both mga7 and mga8. Validating. Advisory in Comment 2.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => ouaurelienCVE: (none) => CVE-2020-13936Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0183.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Debian-LTS has issued an advisory for this on March 17: https://www.debian.org/lts/security/2021/dla-2595