Bug 34483 - apache-commons-lang and apache-commons-lang3 new security issue CVE-2025-48924
Summary: apache-commons-lang and apache-commons-lang3 new security issue CVE-2025-48924
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-07-18 15:15 CEST by Nicolas Salguero
Modified: 2025-11-15 08:15 CET (History)
2 users (show)

See Also:
Source RPM: apache-commons-lang3-3.12.0-3.mga9.src.rpm, apache-commons-lang-2.6-25.mga9.src.rpm
CVE: CVE-2025-48924
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-18 15:15:34 CEST 
CVE-2025-48924 was announced here:
https://www.openwall.com/lists/oss-security/2025/07/11/1
Nicolas Salguero 2025-07-18 15:16:46 CEST

CVE: (none) => CVE-2025-48924
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 3.18.0
Source RPM: (none) => apache-commons-lang3-3.16.0-2.mga10.src.rpm, apache-commons-lang3-3.12.0-3.mga9.src.rpm, apache-commons-lang-2.6-25.mga9.src.rpm

Comment 1 Lewis Smith 2025-07-21 20:40:08 CEST 
Assigning globally for the version update.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-11-14 14:54:03 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs. (CVE-2025-48924)

References:
https://www.openwall.com/lists/oss-security/2025/07/11/1
========================

Updated packages in core/updates_testing:
========================
apache-commons-lang-2.6-25.1.mga9
apache-commons-lang-javadoc-2.6-25.1.mga9

apache-commons-lang3-3.12.0-3.1.mga9
apache-commons-lang3-javadoc-3.12.0-3.1.mga9

from SRPMS:
apache-commons-lang-2.6-25.1.mga9.src.rpm
apache-commons-lang3-3.12.0-3.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Source RPM: apache-commons-lang3-3.16.0-2.mga10.src.rpm, apache-commons-lang3-3.12.0-3.mga9.src.rpm, apache-commons-lang-2.6-25.mga9.src.rpm => apache-commons-lang3-3.12.0-3.mga9.src.rpm, apache-commons-lang-2.6-25.mga9.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Fixed upstream in 3.18.0 => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2025-11-15 01:32:38 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-11-15 01:39:59 CET 
installing apache-commons-lang3-3.12.0-3.1.mga9.noarch.rpm apache-commons-lang-2.6-25.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: apache-commons-lang   ###################################################################################################
      2/2: apache-commons-lang3  ###################################################################################################
      1/2: removing apache-commons-lang-2.6-25.mga9.noarch
                                 ###################################################################################################
      2/2: removing apache-commons-lang3-3.12.0-3.mga9.noarch
                                 ###################################################################################################

Clean install
libreoffice-base rqeuires apache-commons-lang3

It works as usual

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-11-15 02:59:53 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-11-15 08:15:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0293.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.