Debian-LTS has issued an advisory today (June 29): https://www.debian.org/lts/security/2021/dla-2696 Mageia 7 and Mageia 8 are also affected. The jdom package may also be affected.
Status comment: (none) => Patch available from DebianWhiteboard: (none) => MGA8TOO, MGA7TOO
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
openSUSE has issued an advisory for this today (July 12): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3W33THYYFJ4Y4WPUQN66D2YC35Q6ZTRU/
jdom2 fixed in cauldron.
CC: (none) => mageia
pushed in mga8: src: - jdom2-2.0.6-1O.1.mga8 now i will look if we need to patch jdom
Did you notice that you used the letter O instead of a zero in the release tag?
not at all :-) i will fix this. Thanks for showing me this error.
pushed in mga8: src: - jdom2-2.0.6-10.1.mga8 now i will look if we need to patch jdom
jdom2-2.0.6-10.1.mga8 jdom2-javadoc-2.0.6-10.1.mga8
Debian-LTS has issued an advisory for jdom (jdom1) on July 20: https://www.debian.org/lts/security/2021/dla-2712
Summary: jdom2 new security issue CVE-2021-33813 => jdom/jdom2 new security issue CVE-2021-33813Source RPM: jdom2-2.0.6-10.mga8.src.rpm => jdom-1.1.3-14.mga8.src.rpm, jdom2-2.0.6-10.mga8.src.rpm
jdom is now fixed in mga8/9: src: - jdom-1.1.3-14.1.mga8
Assignee: java => qa-bugsWhiteboard: MGA8TOO => (none)Status comment: Patch available from Debian => (none)Version: Cauldron => 8
jdom-1.1.3-14.1.mga8 jdom-demo-1.1.3-14.1.mga8 jdom-javadoc-1.1.3-14.1.mga8 from jdom-1.1.3-14.1.mga8.src.rpm
Advisory: ======================== Updated jdom/jdom2 packages fix a security vulnerability: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request (CVE-2021-33813). References: - https://bugs.mageia.org/show_bug.cgi?id=29187 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33813 - https://www.debian.org/lts/security/2021/dla-2696 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3W33THYYFJ4Y4WPUQN66D2YC35Q6ZTRU/ - https://www.debian.org/lts/security/2021/dla-2712 ======================== Updated packages in core/updates_testing: ======================== jdom2-2.0.6-10.1.mga8 jdom2-javadoc-2.0.6-10.1.mga8 jdom-1.1.3-14.1.mga8 jdom-demo-1.1.3-14.1.mga8 jdom-javadoc-1.1.3-14.1.mga8 from SRPMs: jdom2-2.0.6-10.1.mga8 jdom-1.1.3-14.1.mga8.src.rpm
CC: (none) => ouaurelien
MGA8-64 Plasma on Lenovo B50 No installation issues. As all java and developers stuff OK on clean install and no apparent ill effects on the system.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => sysadmin-bugsCVE: (none) => CVE-2021-33813Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0381.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED