1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109335: jackrabbit: CVE-2025-53689

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Tue Jul 15 14:40:01 2025
    Package: jackrabbit
    X-Debbugs-CC: [email protected]
    Severity: grave
    Tags: security

    Hi,

    The following vulnerability was published for jackrabbit.

    CVE-2025-53689[0]:
    | Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-
    | core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured
    | document build to load privileges. Users are recommended to upgrade
    | to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11,
    | beta versions), which fix this issue. Earlier versions (up to
    | 2.20.16) are not supported anymore, thus users should update to the
    | respective supported version.

    It's not clear to me if the subset of functionality shipped in the
    Debian package is affected by this, needs further investigation:

    https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-53689
    https://www.cve.org/CVERecord?id=CVE-2025-53689

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Germann@21:1/5 to All on Wed Jul 23 11:20:01 2025
    Control: tags -1 patch

    I am uploading a NMU to fix this.
    The debdiff is attached.

    diff -Nru jackrabbit-2.20.11/debian/changelog jackrabbit-2.20.11/debian/changelog
    --- jackrabbit-2.20.11/debian/changelog 2023-07-29 15:08:48.000000000 +0200
    +++ jackrabbit-2.20.11/debian/changelog 2025-07-23 10:05:30.000000000 +0200
    @@ -1,3 +1,10 @@
    +jackrabbit (2.20.11-1.1) unstable; urgency=medium
    +
    + * Non-maintainer upload.
    + * Fix CVE-2025-53689 via upstream patch. (Closes: #1109335)
    +
    + -- Bastian Germann <[email protected]> Wed, 23 Jul 2025 10:05:30 +0200
    +
    jackrabbit (2.20.11-1) unstable; urgency=medium

    * Team upload.
    diff -Nru jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch
    --- jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 1970-01-01 01:00:00.000000000 +0100
    +++ jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 2025-07-23 10:05:30.000000000 +0200
    @@ -0,0 +1,147 @@
    +Origin: upstream, 8ea2349234b181bf790cad58bfd91fd2763e64a9
    +From: Julian Reschke <[email protected]>
    +Date: Thu, 10 Jul 2025 18:04:34 +0200
    +Subject: JCR-5165: various parsing improvements/consistency (#263)
    +
    +---