[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 3298-1] jackrabbit security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3298-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
July 01, 2015                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jackrabbit
CVE ID         : CVE-2015-1833

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a
XXE/XEE attack. When processing a WebDAV request body containing XML,
the XML parser could be instructed to read content from network
resources accessible to the host, identified by URI schemes such as
"http(s)" or "file". Depending on the WebDAV request, this could not
only be used to trigger internal network requests, but might also be
used to insert said content into the request, potentially exposing it to
the attacker and others.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.3.6-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.3.6-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.10.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.10.1-1.

We recommend that you upgrade your jackrabbit packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVkxndAAoJEBDCk7bDfE42wL4P/iw/LPaPCIu7eAmEpo3gZE94
Ev+kR1XPP/2jG1w/GwiedYUaYMAC1EouGSaRDPFt2E7yipLBpxEZSFclG54utzzU
NoW5BwSjt1r9fwCvDNxFY4kuwFF61s95kCMV4lwKLDsNW+wTrWSZEw23NW4cyLfT
P6kPEQp2n12YdC3PjoQ8U0Iwo1d+Z6KFQclEy1ADZcIhsryRCHR1V+oEHPvOOo6S
fPHZDWfAeUdMtC8QVRU+KtQt2dyrJWW/i/lrsRACQZbrZdCEnwukRlrDoBqGNuGY
mfyou8TW/bnrn8/AraTyUC+jq6V5xN6lE4Velv/IIN7BUwvBWJmaPlGF92lnp3IA
K4k2zSJLc35AoxpGzdLWAsesgckrHm+sdp0N0RgqG34jcbdtb1leWMmxlQxO2o8Y
zSFrfk8hwM+r3R9WMhyWb3hCKzSrZQy5N9zi1rIUTRZKbtqTy3S7deJqmmYbqKVC
zC5gT+5b+nYpvEkyg/r3e1byNjQFyBb5KGjQ7feYWfvIcEswVFpC6g44UZpQ12uN
i+lFiR4EY8XdTTis6inr/j4K2b+vfy4iRXj5iQLZBLxNFKfDMJOFTo2+q10UQO4/
ZbyFnByHRepYIf74Lh2oAg2Da8nUecdU1Q//4vGH8yIaOMqHMpvJN/PM3q1DRLJt
W3aqLiUN9LCrWvUlFjpa
=8rkS
-----END PGP SIGNATURE-----


Reply to: