Re: jackrabbit CVE-2015-1833
On Thu, Jun 25, 2015 at 07:31:27PM +0200, Markus Koschany wrote:
> Am 22.06.2015 um 07:58 schrieb tony:
> > On Sun, Jun 21, 2015 at 09:29:26PM +0200, Markus Koschany wrote:
> >> Hi all,
> >>
> >> I am looking for someone who is interested in uploading jackrabbit and
> >> fixing #787316.
> >>
> >> Packaging the latest upstream release was sufficient. We only build the
> >> jackrabbit-webdav module which is needed for wagon2 but of course only
> >> this module is affected by the vulnerability. I intend to prepare fixes
> >> for Jessie and Wheezy too but I am unsure about the severity of this
> >> issue. Any ideas how I can test/verify the patches in the wagon2 context?
> >>
> >> https://anonscm.debian.org/cgit/pkg-java/jackrabbit.git
> >
> > Hi Markus,
> >
> > Thank you for the update. I have uploaded it to unstable. Please let
> > me know if need follow-on updates for wagon2 or releated.
>
>
> Hi tony, hello security team
>
> I have prepared two debdiffs to fix CVE-2015-1833. The patch was
> directly taken from upstream [1], only minor rebasing was necessary. The
> patch is accompanied by a test case and I can confirm that the test runs
> successfully. If you agree, I would ask tony for an upload to
> jessie-security and wheezy-security.
Thanks, please upload to security-master. However, since the versions in
wheezy and jessie have the same tarball, please build jessie-security with "-sa",
upload to security-master and then upload a wheezy-security build w/o
"-sa". (That's due bugs in dak on security master)
Cheers,
Moritz
Reply to: