CVE-2025-48734 was announced here: https://openwall.com/lists/oss-security/2025/05/28/6
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-48734Source RPM: (none) => apache-commons-beanutils-1.9.4-9.mga10.src.rpm, apache-commons-beanutils-1.9.4-7.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.11.0
Assigning to the registered maintainer, CC'ing daviddavid.
CC: (none) => geiger.david68210, marja11Assignee: bugsquad => mageia
Fedora has issued an advisory on June 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2E6EAPMCB5XKVDGJ23HGV347WTMBLWMJ/
Debian has issued an advisory on June 25: https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html
apache-commons-beanutils-1.9.4-10.mga10 fixed that issue.
Version: Cauldron => 9Source RPM: apache-commons-beanutils-1.9.4-9.mga10.src.rpm, apache-commons-beanutils-1.9.4-7.mga9.src.rpm => apache-commons-beanutils-1.9.4-7.mga9.src.rpmWhiteboard: MGA9TOO => (none)
Suggested advisory: ======================== The updated packages fix a security vulnerability: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default. (CVE-2025-48734) References: https://openwall.com/lists/oss-security/2025/05/28/6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2E6EAPMCB5XKVDGJ23HGV347WTMBLWMJ/ https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html ======================== Updated packages in core/updates_testing: ======================== apache-commons-beanutils-1.9.4-7.1.mga9 apache-commons-beanutils-javadoc-1.9.4-7.1.mga9 from SRPM: apache-commons-beanutils-1.9.4-7.1.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: mageia => qa-bugsStatus comment: Fixed upstream in 1.11.0 => (none)
Keywords: (none) => advisory
installing apache-commons-beanutils-1.9.4-7.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################### 1/1: apache-commons-beanutils ################################################################################################### 1/1: removing apache-commons-beanutils-1.9.4-7.mga9.noarch ################################################################################################### Clean update
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
The advisory text says: Also, the apache-commons-collections package has been rebuilt to regenerate the OSGi metadata, to allow the apache-commons-beanutils package to build. but there is no apache-commons-collections package in updates_testing. Is this line valid?
CC: (none) => dan
(In reply to Dan Fandrich from comment #8) > The advisory text says: > > Also, the apache-commons-collections package has been rebuilt to > regenerate the OSGi metadata, to allow the apache-commons-beanutils > package to build. > > but there is no apache-commons-collections package in updates_testing. Is > this line valid? Fixed, thank you I have other tab from previous round and I select text from the wromg one
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0299.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED