Summary: | dev-java/xmlrpc: Multiple vulnerabilities (CVE-2016-{5002,5003}. CVE-2019-17570) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, java |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/21673 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-03-18 01:12:15 UTC
CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. Patch from Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1775193): https://bugzilla.redhat.com/attachment.cgi?id=1644752&action=diff This seems to indicate xmlrpc is no longer maintained: https://www.openwall.com/lists/oss-security/2020/01/24/2 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0d5aabee9dc3d54e42ab291daab4995def8d8e6 commit d0d5aabee9dc3d54e42ab291daab4995def8d8e6 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-07-16 08:28:24 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-07-16 08:54:24 +0000 package.mask: last-rite dev-java/xmlrpc Bug: https://bugs.gentoo.org/713098 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/21673 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebd8cc5a482a443f3af3965678bff2fe317c228c commit ebd8cc5a482a443f3af3965678bff2fe317c228c Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-08-14 19:12:31 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2021-08-14 19:12:31 +0000 dev-java/xmlrpc: Remove last-rited pkg Bug: https://bugs.gentoo.org/713098 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: David Seifert <soap@gentoo.org> dev-java/xmlrpc/Manifest | 2 -- dev-java/xmlrpc/metadata.xml | 13 -------- dev-java/xmlrpc/xmlrpc-3.1.3.ebuild | 61 ------------------------------------- profiles/package.mask | 5 --- 4 files changed, 81 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=6ee7e022f8f6a1893b71cb4e09707f9eb56fa40b commit 6ee7e022f8f6a1893b71cb4e09707f9eb56fa40b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-22 14:37:11 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-22 14:37:59 +0000 [ GLSA 202401-26 ] Apache XML-RPC: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/713098 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-26.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) |