Mageia Advisory: MGASA-2014-0547 - Updated resteasy package fix CVE-2014-3490

Updated resteasy package fix CVE-2014-3490

Publication date: 26 Dec 2014
Modification date: 26 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-3490

Description

Updated resteasy packages fixes security vulnerability:

It was found that the fix for CVE-2012-0818 was incomplete: external
parameter entities were not disabled when the
resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks
(CVE-2014-3490).

References

https://bugs.mageia.org/show_bug.cgi?id=13870
https://rhn.redhat.com/errata/RHSA-2014-1011.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3490

SRPMS

4/core

resteasy-3.0.1-3.1.mga4

Advisories » MGASA-2014-0547

Updated resteasy package fix CVE-2014-3490

Description

References

SRPMS

4/core