Advisories ยป MGASA-2019-0002

Updated xmlrpc packages fix security vulnerabilities

Publication date: 05 Jan 2019
Modification date: 05 Jan 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2016-5002 , CVE-2016-5003

Description

XML external entity (XXE) vulnerability in the Apache XML-RPC
(aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote
attackers to conduct server-side request forgery (SSRF) attacks via a
crafted DTD (CVE-2016-5002).

A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that
deserializes untrusted data when enabledForExtensions setting is
enabled. A remote attacker could use this vulnerability to execute
arbitrary code via a crafted serialized Java object in a
<ex:serializable> element (CVE-2016-5003).

References

SRPMS

6/core