Advisories » MGASA-2013-0292

Updated openjpa packages fix CVE-2013-1768

Publication date: 05 Oct 2013
Modification date: 05 Oct 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-1768

Description

Updated openjpa packages fix security vulnerability:

The BrokerFactory functionality in Apache OpenJPA before 2.2.2 creates
local executable JSP files containing logging trace data produced during
deserialization of certain crafted OpenJPA objects, which makes it easier
for remote attackers to execute arbitrary code by creating a serialized
object and leveraging improperly secured server programs (CVE-2013-1768).
                

References

• https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112029.html
• https://bugs.mageia.org/show_bug.cgi?id=10817
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768

SRPMS

3/core

• openjpa-2.2.0-3.1.mga3

2/core

• openjpa-2.0.0-1.1.mga2