Changing the version assignments for the new policy.

Just so it's still clear, Cauldron, Mageia 2, and Mageia 1 are all affected.

Version: 1 => Cauldron
Whiteboard: (none) => MGA2TOO, MGA1TOO

cauldron is Fixed

new ant is part of this update too  see:

http://mail-archives.apache.org/mod_mbox/www-announce/201205.mbox/%3C87ipfnvvxr.fsf@v35516.1blu.de%3E

pushed on mga2 ( ant and apache-commons-compress )

ant is pushed on mga1

Built so far:
xz-java-1.0-0.1.mga2.noarch.rpm
xz-java-javadoc-1.0-0.1.mga2.noarch.rpm
ant-1.8.4-0.2.mga2.noarch.rpm
ant-jmf-1.8.4-0.2.mga2.noarch.rpm
ant-swing-1.8.4-0.2.mga2.noarch.rpm
ant-antlr-1.8.4-0.2.mga2.noarch.rpm
ant-apache-bsf-1.8.4-0.2.mga2.noarch.rpm
ant-apache-resolver-1.8.4-0.2.mga2.noarch.rpm
ant-commons-logging-1.8.4-0.2.mga2.noarch.rpm
ant-commons-net-1.8.4-0.2.mga2.noarch.rpm
ant-apache-bcel-1.8.4-0.2.mga2.noarch.rpm
ant-apache-log4j-1.8.4-0.2.mga2.noarch.rpm
ant-apache-oro-1.8.4-0.2.mga2.noarch.rpm
ant-apache-regexp-1.8.4-0.2.mga2.noarch.rpm
ant-apache-xalan2-1.8.4-0.2.mga2.noarch.rpm
ant-javamail-1.8.4-0.2.mga2.noarch.rpm
ant-jdepend-1.8.4-0.2.mga2.noarch.rpm
ant-jsch-1.8.4-0.2.mga2.noarch.rpm
ant-junit-1.8.4-0.2.mga2.noarch.rpm
ant-testutil-1.8.4-0.2.mga2.noarch.rpm
ant-scripts-1.8.4-0.2.mga2.noarch.rpm
ant-manual-1.8.4-0.2.mga2.noarch.rpm
ant-javadoc-1.8.4-0.2.mga2.noarch.rpm
apache-commons-compress-1.4.1-0.1.mga2.noarch.rpm
apache-commons-compress-javadoc-1.4.1-0.1.mga2.noarch.rpm

from SRPMS:
xz-java-1.0-0.1.mga2.src.rpm
ant-1.8.4-0.2.mga2.src.rpm
apache-commons-compress-1.4.1-0.1.mga2.src.rpm

Still pending:
Updates for Mageia 1 (including ant, which failed to build)

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Also still possibly needed:
Updates for apache-commons-compress10 if it is also affected by this issue.

there is a pb in mga2, all the ant are not available.

(In reply to comment #7)
> there is a pb in mga2, all the ant are not available.

Indeed.  This is the same thing that happened to the firefox-l10n package in Mageia 2 updates_testing in the initial attempt to build the update for 10.0.5.

Is iurt only eating packages in Mageia 2 updates_testing?

CC: (none) => sysadmin-bugs

fixed now for ant in mga2

(In reply to comment #9)
> fixed now for ant in mga2

Thanks.  Subrel was bumped, so I'll provide a new package list.  Hopefully none get eaten.

xz-java-1.0-0.1.mga2.noarch.rpm
xz-java-javadoc-1.0-0.1.mga2.noarch.rpm
ant-1.8.4-0.3.mga2.noarch.rpm
ant-jmf-1.8.4-0.3.mga2.noarch.rpm
ant-swing-1.8.4-0.3.mga2.noarch.rpm
ant-antlr-1.8.4-0.3.mga2.noarch.rpm
ant-apache-bsf-1.8.4-0.3.mga2.noarch.rpm
ant-apache-resolver-1.8.4-0.3.mga2.noarch.rpm
ant-commons-logging-1.8.4-0.3.mga2.noarch.rpm
ant-commons-net-1.8.4-0.3.mga2.noarch.rpm
ant-apache-bcel-1.8.4-0.3.mga2.noarch.rpm
ant-apache-log4j-1.8.4-0.3.mga2.noarch.rpm
ant-apache-oro-1.8.4-0.3.mga2.noarch.rpm
ant-apache-regexp-1.8.4-0.3.mga2.noarch.rpm
ant-apache-xalan2-1.8.4-0.3.mga2.noarch.rpm
ant-javamail-1.8.4-0.3.mga2.noarch.rpm
ant-jdepend-1.8.4-0.3.mga2.noarch.rpm
ant-jsch-1.8.4-0.3.mga2.noarch.rpm
ant-junit-1.8.4-0.3.mga2.noarch.rpm
ant-testutil-1.8.4-0.3.mga2.noarch.rpm
ant-scripts-1.8.4-0.3.mga2.noarch.rpm
ant-manual-1.8.4-0.3.mga2.noarch.rpm
ant-javadoc-1.8.4-0.3.mga2.noarch.rpm
apache-commons-compress-1.4.1-0.1.mga2.noarch.rpm
apache-commons-compress-javadoc-1.4.1-0.1.mga2.noarch.rpm

from SRPMS:
xz-java-1.0-0.1.mga2.src.rpm
ant-1.8.4-0.3.mga2.src.rpm
apache-commons-compress-1.4.1-0.1.mga2.src.rpm

Still pending:
Updates for Mageia 1

D Morgan, is apache-commons-compress10 affected by this?

Removing Mageia 1 from the whiteboard due to EOL.

Fedora has issued more advisories for this, as it also affects plexus-archiver.
http://lwn.net/Alerts/550441/

Version: 2 => Cauldron
Whiteboard: MGA1TOO => MGA2TOO

(In reply to David Walser from comment #12)
> Fedora has issued more advisories for this, as it also affects
> plexus-archiver.
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html

Shame that we never issued this update for Mageia 2 (EOL now).

This still needs to be looked into for plexus-archiver for Mageia 3 and Cauldron.

Summary: apache-commons-compress new security issue CVE-2012-2098 => plexus-archiver new security issue CVE-2012-2098 (was for apache-commons-compress)
Whiteboard: MGA2TOO => MGA3TOO

I believe this is fixed in plexus-archiver 2.3, so Cauldron should be fine now (has 2.4.2), but Mageia 3 needs an update.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated plexus-archiver packages fix security vulnerability:

Algorithmic complexity vulnerability in the sorting algorithms in bzip2
compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress
before 1.4.1 allows remote attackers to cause a denial of service (CPU
consumption) via a file with many repeating inputs (CVE-2012-2098).

plexus-archiver used an embedded copy of the affected code from Apache
Commons Compress, and therefore was affected by this.  It has been patched
to use the apache-commons-compress package, in which this issue has already
been fixed, for bzip2 compression and decompression.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html
========================

Updated packages in core/updates_testing:
========================
plexus-archiver-2.3-1.mga3
plexus-archiver-javadoc-2.3-1.mga3

from plexus-archiver-2.3-1.mga3.src.rpm

Assignee: dmorganec => qa-bugs
Source RPM: apache-commons-compress, apache-commons-compress10 => plexus-archiver

The epoch has been reset so it is not being seen as an update.

not selecting plexus-archiver-2.3-1.mga3.noarch since the more recent 
plexus-archiver-2.2-3.mga3.noarch is installed

http://svnweb.mageia.org/packages/updates/3/plexus-archiver/current/SPECS/plexus-archiver.spec?r1=418302&r2=564228

Whiteboard: (none) => feedback

Epoch was added back in cauldron in september.

Thanks.  I've fixed the epoch and it's rebuilding now.  The updated packages should otherwise have the same name, version, and release.

Sorry, that was fast :)

The packages are missing in x86_64 media (there's a SRPM but no RPM).

Maybe something funny happened when submitted new packages with same version and new Epoch. I'd advise increasing subrel before submitting again.

CC: (none) => stormi
Whiteboard: (none) => feedback

Rebuild submitted.

Updated packages in core/updates_testing:
========================
plexus-archiver-2.3-1.1.mga3
plexus-archiver-javadoc-2.3-1.1.mga3

from plexus-archiver-2.3-1.1.mga3.src.rpm

Whiteboard: feedback => (none)

As with most java stuff, just ensuring it updates cleanly. 
It adds alot of new dependencies but does update ok.

Mga3 64 ok

Whiteboard: (none) => has_procedure mga3-64-ok

testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Validating update.

Advisory upload, could a sysadmin push to core/updates for Mageia 3? Thanks!

Keywords: (none) => validated_update
CC: (none) => remi
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure mga3-64-ok mga3-32-ok advisory

Update pushed:
http://advisories.mageia.org/MGASA-2014-0056.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED