Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 3298-1] jackrabbit security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 3298-1] jackrabbit security update


Chronologisch Thread 
  • From: Moritz Muehlenhoff <jmm AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 3298-1] jackrabbit security update
  • Date: Wed, 1 Jul 2015 00:38:40 +0200
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Old-return-path: <jmm AT inutil.org>
  • Priority: urgent
  • Resent-date: Tue, 30 Jun 2015 22:38:58 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <LoNc8gkDAiI.A.w9G.CqxkVB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3298-1 security AT debian.org
https://www.debian.org/security/ Markus Koschany
July 01, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jackrabbit
CVE ID : CVE-2015-1833

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a
XXE/XEE attack. When processing a WebDAV request body containing XML,
the XML parser could be instructed to read content from network
resources accessible to the host, identified by URI schemes such as
"http(s)" or "file". Depending on the WebDAV request, this could not
only be used to trigger internal network requests, but might also be
used to insert said content into the request, potentially exposing it to
the attacker and others.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.3.6-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.3.6-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.10.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.10.1-1.

We recommend that you upgrade your jackrabbit packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVkxndAAoJEBDCk7bDfE42wL4P/iw/LPaPCIu7eAmEpo3gZE94
Ev+kR1XPP/2jG1w/GwiedYUaYMAC1EouGSaRDPFt2E7yipLBpxEZSFclG54utzzU
NoW5BwSjt1r9fwCvDNxFY4kuwFF61s95kCMV4lwKLDsNW+wTrWSZEw23NW4cyLfT
P6kPEQp2n12YdC3PjoQ8U0Iwo1d+Z6KFQclEy1ADZcIhsryRCHR1V+oEHPvOOo6S
fPHZDWfAeUdMtC8QVRU+KtQt2dyrJWW/i/lrsRACQZbrZdCEnwukRlrDoBqGNuGY
mfyou8TW/bnrn8/AraTyUC+jq6V5xN6lE4Velv/IIN7BUwvBWJmaPlGF92lnp3IA
K4k2zSJLc35AoxpGzdLWAsesgckrHm+sdp0N0RgqG34jcbdtb1leWMmxlQxO2o8Y
zSFrfk8hwM+r3R9WMhyWb3hCKzSrZQy5N9zi1rIUTRZKbtqTy3S7deJqmmYbqKVC
zC5gT+5b+nYpvEkyg/r3e1byNjQFyBb5KGjQ7feYWfvIcEswVFpC6g44UZpQ12uN
i+lFiR4EY8XdTTis6inr/j4K2b+vfy4iRXj5iQLZBLxNFKfDMJOFTo2+q10UQO4/
ZbyFnByHRepYIf74Lh2oAg2Da8nUecdU1Q//4vGH8yIaOMqHMpvJN/PM3q1DRLJt
W3aqLiUN9LCrWvUlFjpa
=8rkS
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST AT lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster AT lists.debian.org
Archive: https://lists.debian.org/20150630223840.GA1327 AT pisco.westfalen.local




  • [IT-SecNots] [SECURITY] [DSA 3298-1] jackrabbit security update, Moritz Muehlenhoff, 01.07.2015

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang