Bug 1070731 – VUL-0: CVE-2017-7957: xstream: Denial of Service when unmarshalling void.

Bug 1070731 - (CVE-2017-7957) VUL-0: CVE-2017-7957: xstream: Denial of Service when unmarshalling void.

(CVE-2017-7957)
Summary:	VUL-0: CVE-2017-7957: xstream: Denial of Service when unmarshalling void.

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/184598/
Whiteboard:	CVSSv3:RedHat:CVE-2017-7957:5.9:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-12-01 08:47 UTC by Michael Calmer
Modified:	2022-08-01 14:58 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch for this bug (5.22 KB, patch) 2017-12-01 08:49 UTC, Michael Calmer	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Calmer 2017-12-01 08:47:53 UTC

On the upstream spacewalk mailing list is a discussion about CVE-2017-7957
on package xstream.
We have this package also in SUSE Manager and this security bug is not yet fixed.
A patch is available (will attach it).

Affected:
SUSE Manager 3.1 and 3.0 (and Head)

Comment 2 Michael Calmer 2017-12-01 08:49:45 UTC

Created attachment 750959 [details]
patch for this bug

(from fedora package)

Comment 7 Swamp Workflow Management 2017-12-20 20:08:22 UTC

SUSE-SU-2017:3389-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1070731
CVE References: CVE-2017-7957
Sources used:
SUSE Manager Server 3.0 (src):    xstream-1.4.9-4.3.1

Comment 8 Swamp Workflow Management 2017-12-20 20:08:49 UTC

SUSE-SU-2017:3390-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1070731
CVE References: CVE-2017-7957
Sources used:
SUSE Manager Server 3.1 (src):    xstream-1.4.9-3.3.1

Comment 10 Marcus Meissner 2018-01-02 16:57:22 UTC

released

Comment 11 Swamp Workflow Management 2019-04-24 15:44:15 UTC

SUSE-SU-2019:1006-1: An update that solves one vulnerability and has 24 fixes is now available.

Category: security (moderate)
Bug References: 1070731,1109316,1120242,1121195,1122230,1122381,1122837,1124290,1125600,1125744,1126075,1126099,1126518,1127542,1128228,1128724,1128781,1129765,1129851,1129956,1130658,1131490,1131677,1131721,1132579
CVE References: CVE-2017-7957
Sources used:
SUSE Manager Server 3.2 (src):    apache-commons-lang3-3.4-3.3.3, cobbler-2.6.6-6.16.3, drools-7.17.0-3.3.3, guava-27.0.1-3.3.3, jade4j-1.0.7-3.3.3, kie-api-7.17.0-3.3.3, kie-soup-7.17.0.Final-2.3.3, optaplanner-7.17.0-3.3.3, py26-compat-salt-2016.11.10-6.21.3, reprepro-5.3.0-2.3.3, smdba-1.6.4-0.3.9.3, spacecmd-2.8.25.10-3.20.3, spacewalk-admin-2.8.4.4-3.6.3, spacewalk-backend-2.8.57.14-3.25.3, spacewalk-branding-2.8.5.15-3.19.3, spacewalk-certs-tools-2.8.8.7-3.6.3, spacewalk-java-2.8.78.21-3.29.1, spacewalk-web-2.8.7.15-3.24.3, subscription-matcher-0.23-4.12.3, susemanager-3.2.17-3.22.4, susemanager-schema-3.2.18-3.22.3, susemanager-sls-3.2.23-3.26.3, susemanager-sync-data-3.2.14-3.20.3, xstream-1.4.10-4.3.3
SUSE Manager Proxy 3.2 (src):    spacewalk-backend-2.8.57.14-3.25.3, spacewalk-certs-tools-2.8.8.7-3.6.3, spacewalk-web-2.8.7.15-3.24.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.