29512 – xstream new security issues CVE-2021-39139, CVE-2021-3914[01456789], CVE-2021-3915[0-4]

Bug 29512 - xstream new security issues CVE-2021-39139, CVE-2021-3914[01456789], CVE-2021-3915[0-4]

Summary: xstream new security issues CVE-2021-39139, CVE-2021-3914[01456789], CVE-2021...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-10-01 16:14 CEST by David Walser
Modified:	2021-10-13 21:41 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	xstream-1.4.15-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-01 16:14:47 CEST

Debian-LTS has issued an advisory on September 30:
https://www.debian.org/lts/security/2021/dla-2769

The issues are fixed upstream in 1.4.18.

Mageia 8 is also affected.

David Walser 2021-10-01 16:15:00 CEST

Status comment: (none) => Fixed upstream in 1.4.18
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-10-09 17:01:15 CEST

fixed in mga 8/9:

src:
    - xmlpull-1.2.0-1.mga8
    - mxparser-1.2.2-1.mga8
    - xstream-1.4.18-1.mga8

rpms:
    - mxparser-1.2.2-1.mga8
    - xmlpull-1.2.0-1.mga8
    - xstream-1.4.18-1.mga8

Version: Cauldron => 8
CC: (none) => mageia
Assignee: java => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.4.18 => (none)

Comment 2 David Walser 2021-10-09 17:15:47 CEST

RPMS are actually:
xmlpull-1.2.0-1.mga8
xmlpull-javadoc-1.2.0-1.mga8
mxparser-1.2.2-1.mga8
mxparser-javadoc-1.2.2-1.mga8
xstream-benchmark-1.4.18-1.mga8
xstream-1.4.18-1.mga8
xstream-javadoc-1.4.18-1.mga8

Comment 3 Herman Viaene 2021-10-12 15:59:43 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues
OK on clean install as before.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-10-13 04:02:00 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2021-10-13 15:54:26 CEST

Fedora has issued an advisory for this on October 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

Dave Hodgins 2021-10-13 20:20:32 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-10-13 21:41:19 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0474.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.