openSUSE has issued an advisory on June 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GA6JLF7SGHTXIPP5ONV5N4ECGGCVIYYM/ The issue is fixed upstream in 2.8.9. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.8.9
This is officially with neoclust, but daviddavid most recently commited it - but ages ago. With this uncertainty, assigning this globally; CC'ing NicolasL.
CC: (none) => mageiaAssignee: bugsquad => pkg-bugs
Debian-LTS has issued an advisory for this today (September 7): https://www.debian.org/lts/security/2022/dla-3100
Debian has issued an advisory for this on September 7: https://www.debian.org/security/2022/dsa-5227
Suggested advisory: ======================== The updated packages fix a security vulnerability: The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. (CVE-2022-25647) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GA6JLF7SGHTXIPP5ONV5N4ECGGCVIYYM/ https://www.debian.org/lts/security/2022/dla-3100 https://www.debian.org/security/2022/dsa-5227 ======================== Updated packages in core/updates_testing: ======================== google-gson-2.8.6-1.1.mga8 google-gson-javadoc-2.8.6-1.1.mga8 from SRPM: google-gson-2.8.6-1.1.mga8.src.rpm
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CVE: (none) => CVE-2022-25647Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 2.8.9 => (none)Status: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Started to look at this and found a tutorial at TutorialsPoint. The helloworld test script requires java-11-openjdk-devel for javac, easily installed, but the program itself looks for GsonBuilder and GsonTester which do not seem to be available. Is there a development package to go with this update? $ urpmq --whatrequires google-gson eclipse-cdt eclipse-cdt-native google-gson jgit lightcouch protobuf-java-util Installed lightcouch. $ less /usr/share/doc/lightcouch/README.md CouchDB Java API ================ A Java _client_ for [CouchDB](http://couchdb.apache.org/) database. * Homepage: <http://lightcouch.org/> Not going to touch that. The helloworld route seems the best bet.
CC: (none) => tarazed25
Trying to learn java at the same time. CLASSPATH needs to be set: $ export GSON_HOME="/usr/share/java/google-gson" $ export CLASSPATH="$GSON_HOME/gson.jar" $ javac GsonTester.java $ ls GsonTester.class GsonTester.java Student.class $ java GsonTester.java Student [ name: Mahesh, age: 21 ] { "name": "Mahesh", "age": 21 } Expected result. mga8, x64 Updated packages via qarepo... $ rm -f *.class Repeated the compilation and test with identical results. Not much of a test but it shall have to do.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0340.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED