Description: "XML External Entity vulnerability in default SAX parser" Patches: * https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d * https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
*** Bug 720728 has been marked as a duplicate of this bug. ***
CVE-2020-10683 (https://nvd.nist.gov/vuln/detail/CVE-2020-10683): dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
*** Bug 790521 has been marked as a duplicate of this bug. ***
Ping, blocker fixed
we still only have unpatched version 1.6.1. work on bump to the latest dom4j is in progress...
(In reply to Miroslav Šulc from comment #5) > we still only have unpatched version 1.6.1. work on bump to the latest dom4j > is in progress... dom4j-2.1.3 (https://github.com/dom4j/dom4j/tree/version-2.1.3) depends on jaxb-api (https://github.com/gentoo/gentoo/pull/21319). This however cannot be used before there isn't a solution for using java modules. See https://github.com/gentoo/gentoo/pull/21326#pullrequestreview-687829925
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d commit fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-05-17 13:24:31 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-07-17 12:09:03 +0000 dev-java/dom4j: bump to 2.1.3 (CVE-2020-10683) Bug: https://bugs.gentoo.org/719318 rewritten with java-pkg-simple.eclass introducing "jaxen" USE flag Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/21319 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/dom4j/Manifest | 2 + dev-java/dom4j/dom4j-2.1.3.ebuild | 75 ++++++++++++++++++++++ .../dom4j-2.1.3-xpp3-add-removeAttribute.patch | 47 ++++++++++++++ dev-java/dom4j/metadata.xml | 3 + 4 files changed, 127 insertions(+)
this can go stable. all tests pass, packages depending on dom4j-2.1.3 emerge fine, so it should be safe to stabilize. thanks to vaukai for the great work!
Sanity check failed: > dev-java/dom4j-2.1.3 > depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > dev-java/jaxb-api:2 > depend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-java/jaxb-api:2 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > dev-java/jaxb-api:2 > rdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-java/jaxb-api:2
Sanity check failed: > dev-java/jaxb-api-2.3.3 > depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > dev-java/jakarta-activation-api:1 > depend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-java/jakarta-activation-api:1 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > dev-java/jakarta-activation-api:1 > rdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-java/jakarta-activation-api:1
do we need to create a separate stabilization bug or is it fine to use this one for stabilization?
We're already rolling here, so it's fine to let it finish
amd64 done
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Keywords are not fully specified and arches are not CC-ed for the following packages: - =dev-java/dom4j-2.1.3 - =dev-java/jakarta-activation-api-2.0.1-r1
Sanity check failed: > dev-java/dom4j-2.1.3 > depend arm64 stable profile default/linux/arm64/17.0 (23 total) > dev-java/testng:0
Sanity check failed: > dev-java/testng-6.9.10 > depend arm64 stable profile default/linux/arm64/17.0 (23 total) > dev-java/guice:4 > dev-java/jcommander:0 > dev-java/snakeyaml:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (23 total) > dev-java/guice:4 > dev-java/jcommander:0 > dev-java/snakeyaml:0 > dev-java/bsh-2.0_beta6-r1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/bsf:2.3 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/bsf:2.3
Sanity check failed: > dev-java/testng-6.9.10 > depend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/guice:4 > dev-java/jcommander:0 > dev-java/snakeyaml:0 > rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/guice:4 > dev-java/jcommander:0 > dev-java/snakeyaml:0 > dev-java/snakeyaml-1.28-r1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/joda-time-2.10.10:0 > >=dev-java/velocity-1.7:0 > dev-java/bsf-2.4.0-r2 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7 > dev-java/guice-4.1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/asm-5:4 > dev-java/aopalliance:1 > dev-java/guava:20 > dev-java/javax-inject:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/asm-5:4 > dev-java/aopalliance:1 > dev-java/guava:20 > dev-java/javax-inject:0
Sanity check failed: > dev-java/guice-4.1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/asm-5:4 > dev-java/aopalliance:1 > dev-java/guava:20 > dev-java/javax-inject:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/asm-5:4 > dev-java/aopalliance:1 > dev-java/guava:20 > dev-java/javax-inject:0 > depend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/guava:20 > rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/guava:20 > dev-java/snakeyaml-1.28-r1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/joda-time-2.10.10:0 > >=dev-java/velocity-1.7:0 > depend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > >=dev-java/velocity-1.7:0 > dev-java/bsf-2.4.0-r2 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7
Sanity check failed: > dev-java/snakeyaml-1.28-r1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/joda-time-2.10.10:0 > >=dev-java/velocity-1.7:0 > depend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > >=dev-java/velocity-1.7:0 > dev-java/bsf-2.4.0-r2 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/jacl:0 > dev-java/jython:2.7 > dev-java/guava-20.0 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/animal-sniffer-annotations:0 > dev-java/error-prone-annotations:0 > dev-java/j2objc-annotations:0 > dev-java/jsr305:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/animal-sniffer-annotations:0 > dev-java/error-prone-annotations:0 > dev-java/jsr305:0 > depend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/animal-sniffer-annotations:0 > dev-java/error-prone-annotations:0 > dev-java/j2objc-annotations:0 > rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total) > dev-java/animal-sniffer-annotations:0 > dev-java/error-prone-annotations:0
Sanity check failed: > dev-java/joda-time-2.10.10-r1 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/joda-convert:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/joda-convert:0 > dev-java/velocity-2.3 > bdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/javacc:0 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=dev-java/slf4j-simple-1.7.30:0 > dev-db/hsqldb:0 > dev-java/jython-2.7.0-r2 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/antlr:3 > dev-java/commons-compress:0 > dev-java/icu4j:52 > dev-java/jffi:1.2 > dev-java/jline:2 > dev-java/jnr-constants:0 > dev-java/jnr-netdb:1.0 > dev-java/jnr-posix:3.0 > dev-java/netty-transport:0 > dev-java/stringtemplate:0 > java-virtuals/script-api:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/antlr:3 > dev-java/commons-compress:0 > dev-java/icu4j:52 > dev-java/jffi:1.2 > dev-java/jline:2 > dev-java/jnr-constants:0 > dev-java/jnr-netdb:1.0 > dev-java/jnr-posix:3.0 > dev-java/netty-transport:0 > dev-java/stringtemplate:0 > java-virtuals/script-api:0
Unable to check for sanity: > invalid package spec: dev-java/javacc5.0-r3
Unable to check for sanity: > no match for package: dev-java/javac-5.0-r3
Sanity check failed: > dev-java/jython-2.7.0-r2 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/antlr:3 > dev-java/commons-compress:0 > dev-java/icu4j:52 > dev-java/jffi:1.2 > dev-java/jline:2 > dev-java/jnr-constants:0 > dev-java/jnr-netdb:1.0 > dev-java/jnr-posix:3.0 > dev-java/netty-transport:0 > dev-java/stringtemplate:0 > java-virtuals/script-api:0 > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > dev-java/antlr:3 > dev-java/commons-compress:0 > dev-java/icu4j:52 > dev-java/jffi:1.2 > dev-java/jline:2 > dev-java/jnr-constants:0 > dev-java/jnr-netdb:1.0 > dev-java/jnr-posix:3.0 > dev-java/netty-transport:0 > dev-java/stringtemplate:0 > java-virtuals/script-api:0
Sanity check failed: > dev-java/dom4j-2.1.3 > depend arm64 stable profile default/linux/arm64/17.0 (8 total) > dev-java/testng:0 > depend arm64 dev profile default/linux/arm64/17.0/hardened/selinux (1 total) > dev-java/testng:0
All sanity-check issues have been resolved
Unable to check for sanity: > dependent bug #822933 has errors
Resetting sanity check; package list is empty or all packages are done.
Hm, seems we still need to stabilize for arm64 and ppc64
