Advisories have been issued by Debian and Fedora: http://www.debian.org/security/2012/dsa-2468 (May 9) http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080633.html (May 11) It appears there is an obsolete older version of this software in a package called jakarta-poi which should be removed. This package also exists in Mageia 1. There are also a couple of other obsolete packages with jakarta-* names that look like they should have been obsoleted by the apache-* ones, commons-fileupload and commons-logging.
CC: (none) => dmorganec
Hi, This bug was filed against cauldron, but we do not have cauldron at the moment. Please report whether this bug is still valid for Mageia 2. Thanks :) Cheers, marja
Keywords: (none) => NEEDINFO
Keywords: NEEDINFO => (none)Whiteboard: (none) => MGA2TOO, MGA1TOO
we can't remove jakarta-* we need to port apps to use it first ( different API ). But this is on my TODO. Update is ready on svn, will be pushed as soon as tests are fixed.
OK. If we can't obsolete the jakarta ones for now, jakarta-poi will need an update as well then I presume.
Built so far: apache-poi-3.8-1.1.mga2.noarch.rpm apache-poi-javadoc-3.8-1.1.mga2.noarch.rpm apache-poi-manual-3.8-1.1.mga2.noarch.rpm from apache-poi-3.8-1.1.mga2.src.rpm Still pending: Updated apache-poi for Mageia 1 Updates for jakarta-poi if it is also affected by this issue
D Morgan, is jakarta-poi affected by this?
Assignee: bugsquad => dmorganec
pushed on the BS
Mageia 1 is EOL, so removing that from the whiteboard. D Morgan is investigating if we need to keep jakarta-poi in Cauldron. D Morgan patched jakarta-poi in Mageia 2. I'll assign to QA once jakarta-poi is resolved in Cauldron. Built for this update: apache-poi-3.8-1.1.mga2 apache-poi-javadoc-3.8-1.1.mga2 apache-poi-manual-3.8-1.1.mga2 jakarta-poi-3.1-0.0.4.1.mga2 jakarta-poi-javadoc-3.1-0.0.4.1.mga2 jakarta-poi-manual-3.1-0.0.4.1.mga2 from SRPMS: apache-poi-3.8-1.1.mga2.src.rpm jakarta-poi-3.1-0.0.4.1.mga2.src.rpm
Whiteboard: MGA2TOO, MGA1TOO => MGA2TOO
jakarta-poi removed from Cauldron. Assigning to QA. As with the other Java package updates from last year, testing that they install fine should be sufficient. Advisory: ======================== Updated apache-poi and jakarta-poi packages fix security vulnerability: It was discovered that Apache POI, a Java implementation of the Microsoft Office file formats, would allocate arbitrary amounts of memory when processing crafted documents. This could impact the stability of the Java virtual machine (CVE-2012-0213). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213 http://www.debian.org/security/2012/dsa-2468 ======================== Updated packages in core/updates_testing: ======================== apache-poi-3.8-1.1.mga2 apache-poi-javadoc-3.8-1.1.mga2 apache-poi-manual-3.8-1.1.mga2 jakarta-poi-3.1-0.0.4.1.mga2 jakarta-poi-javadoc-3.1-0.0.4.1.mga2 jakarta-poi-manual-3.1-0.0.4.1.mga2 from SRPMS: apache-poi-3.8-1.1.mga2.src.rpm jakarta-poi-3.1-0.0.4.1.mga2.src.rpm
Version: Cauldron => 2Assignee: dmorganec => qa-bugsWhiteboard: MGA2TOO => (none)
Severity: normal => major
No poc, so just testing that jackrabbit works with the updates.
CC: (none) => davidwhodgins
Gave up trying to figure out jackrabbit, so now I'm just trying to test apache-poi directly. From https://poi.apache.org/spreadsheet/examples.html I ran wget http://svn.apache.org/repos/asf/poi/trunk/src/examples/src/org/apache/poi/ss/examples/BusinessPlan.java javac BusinessPlan.java java BusinessPlan -xls and it fails with ... Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong name: org/apache/poi/ss/examples/BusinessPlan) at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:791) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) at java.net.URLClassLoader.access$100(URLClassLoader.java:71) at java.net.URLClassLoader$1.run(URLClassLoader.java:361) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:423) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:356) at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:480) Suggestions?
Whiteboard: (none) => feedback
Is that a regression?
I get 65 errors with javac BusinessPlan.java and 72 errors with javac CalendarDemo.java and they don't create executables. It is not a regression though. Not entirely sure we're using it properly. WDYT?
This Java stuff is tricky. If it's not a regression, let's push this. This might help though, this: Exception in thread "main" java.lang.NoClassDefFoundError: BusinessPlan (wrong name: org/apache/poi/ss/examples/BusinessPlan) is because of this at the top of the java file: package org.apache.poi.ss.examples; what it means is, it expect the file not to be named BusinessPlan.java in the current working directory, but rather: org/apache/poi/ss/examples/BusinessPlan/BusinessPlan.java
Commented that line and it still gives errors with javac for me. No PoC so I think we'll just have to validate on the basis that the update installs ok, as you suggested. Validating Advisory & srpms in comment 8 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: feedback => (none)
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0044
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED