1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3298-1] jackrabbit security update

    From Moritz Muehlenhoff@1:229/2 to All on Wed Jul 1 00:40:01 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3298-1 [email protected] https://www.debian.org/security/ Markus Koschany
    July 01, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : jackrabbit
    CVE ID : CVE-2015-1833

    It was discovered that the Jackrabbit WebDAV bundle was susceptible to a XXE/XEE attack. When processing a WebDAV request body containing XML,
    the XML parser could be instructed to read content from network
    resources accessible to the host, identified by URI schemes such as
    "http(s)" or "file". Depending on the WebDAV request, this could not
    only be used to trigger internal network requests, but might also be
    used to insert said content into the request, potentially exposing it to
    the attacker and others.

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 2.3.6-1+deb7u1.

    For the stable distribution (jessie), this problem has been fixed in
    version 2.3.6-1+deb8u1.

    For the testing distribution (stretch), this problem has been fixed
    in version 2.10.1-1.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.10.1-1.

    We recommend that you upgrade your jackrabbit packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBAgAGBQJVkxndAAoJEBDCk7bDfE42wL4P/iw/LPaPCIu7eAmEpo3gZE94 Ev+kR1XPP/2jG1w/GwiedYUaYMAC1EouGSaRDPFt2E7yipLBpxEZSFclG54utzzU NoW5BwSjt1r9fwCvDNxFY4kuwFF61s95kCMV4lwKLDsNW+wTrWSZEw23NW4cyLfT P6kPEQp2n12YdC3PjoQ8U0Iwo1d+Z6KFQclEy1ADZcIhsryRCHR1V+oEHPvOOo6S fPHZDWfAeUdMtC8QVRU+KtQt2dyrJWW/i/lrsRACQZbrZdCEnwukRlrDoBqGNuGY mfyou8TW/bnrn8/AraTyUC+jq6V5xN6lE4Velv/IIN7BUwvBWJmaPlGF92lnp3IA K4k2zSJLc35AoxpGzdLWAsesgckrHm+sdp0N0RgqG34jcbdtb1leWMmxlQxO2o8Y zSFrfk8hwM+r3R9WMhyWb3hCKzSrZQy5N9zi1rIUTRZKbtqTy3S7deJqmmYbqKVC zC5gT+5b+nYpvEkyg/r3e1byNjQFyBb5KGjQ7feYWfvIcEswVFpC6g44UZpQ12uN i+lFiR4EY8XdTTis6inr/j4K2b+vfy4iRXj5iQLZBLxNFKfDMJOFTo2+q10UQO4/ ZbyFnByHRepYIf74Lh2oAg2Da8nUecdU1Q//4vGH8yIaOMqHMpvJN/PM3q1DRLJt W3aqLiUN9LCrWvUlFjpa
    =8rkS
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)