Summary: | <dev-java/velocity-2.3: multiple vulnerabilities (CVE-2020-{13936,13959}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | fordfrog, java | ||||
Priority: | Normal | Keywords: | PullRequest | ||||
Version: | unspecified | Flags: | nattka:
sanity-check+
|
||||
Hardware: | All | ||||||
OS: | Linux | ||||||
See Also: | https://github.com/gentoo/gentoo/pull/20429 | ||||||
Whiteboard: | B2 [glsa+ cve] | ||||||
Package list: |
dev-java/velocity-2.3
|
Runtime testing required: | --- | ||||
Bug Depends on: | 736962, 785772 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
John Helmert III
2021-03-10 13:21:40 UTC
Created attachment 697773 [details] velocity-2.3.ebuild (In reply to John Helmert III from comment #0) > CVE-2020-13936 > [...] > allow untrusted users to upload/modify velocity templates running Apache > Velocity Engine versions up to 2.2. > Upgrading to velocity-engine-2.3 needs * commons-io-2.8.0 * hsqldb-2.5.1 (See attached velocity-2.3.ebuild) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71aa218c86852f9b6b3891ae33bb93445053dc8d commit 71aa218c86852f9b6b3891ae33bb93445053dc8d Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-04-17 20:23:16 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-25 15:23:46 +0000 dev-java/velocity: bump to 2.3 Bug: https://bugs.gentoo.org/775248 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/20429 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/velocity/Manifest | 1 + dev-java/velocity/velocity-2.3.ebuild | 144 ++++++++++++++++++++++++++++++++++ 2 files changed, 145 insertions(+) Now that I look closer I see CVE-2020-13959 doesn't apply to dev-java/velocity, so thank you for the bump and please stabilize when ready! Sanity check failed:
> dev-java/velocity-2.3
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/commons-lang-3.11:3.6
> >=dev-java/slf4j-api-1.7.30:0
> >=dev-java/slf4j-simple-1.7.30:0
> depend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/commons-lang-3.11:3.6
> >=dev-java/slf4j-api-1.7.30:0
> >=dev-java/slf4j-simple-1.7.30:0
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/commons-lang-3.11:3.6
> >=dev-java/slf4j-api-1.7.30:0
> rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/commons-lang-3.11:3.6
> >=dev-java/slf4j-api-1.7.30:0
Sanity check failed:
> dev-java/velocity-2.3
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.11:3.6
> depend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-lang-3.11:3.6
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.11:3.6
> rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-lang-3.11:3.6
Sanity check failed:
> dev-java/velocity-2.3
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.11:3.6
> depend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-lang-3.11:3.6
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-lang-3.11:3.6
> rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
> >=dev-java/commons-lang-3.11:3.6
Sanity check failed:
> dev-java/velocity-2.3
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/slf4j-api-1.7.30:0
> >=dev-java/slf4j-simple-1.7.30:0
> depend amd64 stable profile default/linux/amd64/17.1 (15 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/slf4j-api-1.7.30:0
> >=dev-java/slf4j-simple-1.7.30:0
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/slf4j-api-1.7.30:0
> rdepend amd64 stable profile default/linux/amd64/17.1 (15 total)
> >=dev-java/commons-io-2.8.0:1
> >=dev-java/slf4j-api-1.7.30:0
All sanity-check issues have been resolved Unable to check for sanity:
> dependent bug #782568 is missing keywords
Unable to check for sanity:
> dependent bug #782568 is missing keywords
All sanity-check issues have been resolved amd64 done x86 done all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c78da96b1afc9c1374508c38bd32514273d1e8d commit 2c78da96b1afc9c1374508c38bd32514273d1e8d Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-05-18 18:03:45 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-05-18 18:03:45 +0000 dev-java/velocity: removed obsolete and vulnerable 1.7-r2 Bug: https://bugs.gentoo.org/775248 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/velocity/Manifest | 1 - dev-java/velocity/velocity-1.7-r2.ebuild | 67 -------------------------------- 2 files changed, 68 deletions(-) the tree is clean now, you can proceed. Thank you! GLSA request filed. This issue was resolved and addressed in GLSA 202107-52 at https://security.gentoo.org/glsa/202107-52 by GLSA coordinator John Helmert III (ajak). |