Bug 652981

Summary:	libnodeupdown-backend-ganglia contains an embedded copy of expat, prone to CVE-2009-3720
Product:	[Fedora] Fedora	Reporter:	Silvio Cesare <silvio.cesare>
Component:	whatsup	Assignee:	Ruben Kerkhof <ruben>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	13	CC:	security-response-team, silvio.cesare
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	whatsup-1.12-2.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-03-16 04:04:02 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Silvio Cesare 2010-11-13 23:02:20 UTC

Description of problem:

This library contains an old embedded version of the expat xml parsing library. Code inspection shows this embedded copy is vulnerable to CVE-2009-3720 and possibly other issues.

Version-Release number of selected component (if applicable):

Name: libnodeupdown-backend-ganglia
Version: 1.9
Release: 5.fc13

Additional info:

The cve https://bugzilla.redhat.com/show_bug.cgi?id=531697

Ideally, the best solution is to link in the system expat library and not use
the embedded copy. This would help prevent these types of security issues from
reoccuring.

I have marked this issue as a security issue due to the fact that a CVE was
assigned to expat. I have not investigated how this vulnerability would be
triggered.

Comment 1 Tomas Hoger 2011-03-01 14:55:10 UTC

Removing security restriction, the issue is public.

Comment 2 Fedora Update System 2011-03-07 13:51:05 UTC

whatsup-1.12-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/whatsup-1.12-1.fc14

Comment 3 Fedora Update System 2011-03-07 14:10:41 UTC

whatsup-1.12-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/whatsup-1.12-1.fc13

Comment 4 Fedora Update System 2011-03-10 18:38:24 UTC

whatsup-1.12-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/whatsup-1.12-2.fc15

Comment 5 Fedora Update System 2011-03-15 21:52:43 UTC

whatsup-1.12-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2011-03-15 21:53:26 UTC

whatsup-1.12-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2011-03-16 04:03:53 UTC

whatsup-1.12-2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.