CVE-2020-13936 (https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E): An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. CVE-2020-13959 (https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E): The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. Please bump to 3.1.
Created attachment 697773 [details] velocity-2.3.ebuild (In reply to John Helmert III from comment #0) > CVE-2020-13936 > [...] > allow untrusted users to upload/modify velocity templates running Apache > Velocity Engine versions up to 2.2. > Upgrading to velocity-engine-2.3 needs * commons-io-2.8.0 * hsqldb-2.5.1 (See attached velocity-2.3.ebuild)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71aa218c86852f9b6b3891ae33bb93445053dc8d commit 71aa218c86852f9b6b3891ae33bb93445053dc8d Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-04-17 20:23:16 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-25 15:23:46 +0000 dev-java/velocity: bump to 2.3 Bug: https://bugs.gentoo.org/775248 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/20429 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/velocity/Manifest | 1 + dev-java/velocity/velocity-2.3.ebuild | 144 ++++++++++++++++++++++++++++++++++ 2 files changed, 145 insertions(+)
Now that I look closer I see CVE-2020-13959 doesn't apply to dev-java/velocity, so thank you for the bump and please stabilize when ready!
Sanity check failed: > dev-java/velocity-2.3 > depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/commons-lang-3.11:3.6 > >=dev-java/slf4j-api-1.7.30:0 > >=dev-java/slf4j-simple-1.7.30:0 > depend amd64 stable profile default/linux/amd64/17.1 (26 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/commons-lang-3.11:3.6 > >=dev-java/slf4j-api-1.7.30:0 > >=dev-java/slf4j-simple-1.7.30:0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/commons-lang-3.11:3.6 > >=dev-java/slf4j-api-1.7.30:0 > rdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/commons-lang-3.11:3.6 > >=dev-java/slf4j-api-1.7.30:0
Sanity check failed: > dev-java/velocity-2.3 > depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-lang-3.11:3.6 > depend amd64 stable profile default/linux/amd64/17.1 (26 total) > >=dev-java/commons-lang-3.11:3.6 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-lang-3.11:3.6 > rdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > >=dev-java/commons-lang-3.11:3.6
Sanity check failed: > dev-java/velocity-2.3 > depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/slf4j-api-1.7.30:0 > >=dev-java/slf4j-simple-1.7.30:0 > depend amd64 stable profile default/linux/amd64/17.1 (15 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/slf4j-api-1.7.30:0 > >=dev-java/slf4j-simple-1.7.30:0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/slf4j-api-1.7.30:0 > rdepend amd64 stable profile default/linux/amd64/17.1 (15 total) > >=dev-java/commons-io-2.8.0:1 > >=dev-java/slf4j-api-1.7.30:0
All sanity-check issues have been resolved
Unable to check for sanity: > dependent bug #782568 is missing keywords
amd64 done
x86 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c78da96b1afc9c1374508c38bd32514273d1e8d commit 2c78da96b1afc9c1374508c38bd32514273d1e8d Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-05-18 18:03:45 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-05-18 18:03:45 +0000 dev-java/velocity: removed obsolete and vulnerable 1.7-r2 Bug: https://bugs.gentoo.org/775248 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/velocity/Manifest | 1 - dev-java/velocity/velocity-1.7-r2.ebuild | 67 -------------------------------- 2 files changed, 68 deletions(-)
the tree is clean now, you can proceed.
Thank you!
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-52 at https://security.gentoo.org/glsa/202107-52 by GLSA coordinator John Helmert III (ajak).