MGASA-2019-0002 - Updated xmlrpc packages fix security vulnerabilities

Publication date: 05 Jan 2019
URL: https://advisories.mageia.org/MGASA-2019-0002.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2016-5002,
     CVE-2016-5003

XML external entity (XXE) vulnerability in the Apache XML-RPC
(aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote
attackers to conduct server-side request forgery (SSRF) attacks via a
crafted DTD (CVE-2016-5002).

A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that
deserializes untrusted data when enabledForExtensions setting is
enabled. A remote attacker could use this vulnerability to execute
arbitrary code via a crafted serialized Java object in a
 element (CVE-2016-5003).

References:
- https://bugs.mageia.org/show_bug.cgi?id=23105
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5AEMJ2ZNFZVGVMACAZMQQCBOFBVUTNZA/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5002
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5003

SRPMS:
- 6/core/xmlrpc-3.1.3-70.1.mga6