Debian Bug report logs -
#867712
lucene-solr: CVE-2017-3163
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#867712
; Package src:lucene-solr
.
(Sat, 08 Jul 2017 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 08 Jul 2017 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lucene-solr
Version: 3.6.2+dfsg-5
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/SOLR-10031
Hi,
the following vulnerability was published for lucene-solr.
CVE-2017-3163[0]:
No description was found (try on a search engine)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-3163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
[1] https://issues.apache.org/jira/browse/SOLR-10031
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
p.s.: Out of interest, but I do not know the background, is there a
reason in Debian lucene-solr never was updated to newer 4.x, 5,x,
6.x versions?
Reply sent
to Markus Koschany <apo@debian.org>
:
You have taken responsibility.
(Sun, 14 Jan 2018 15:09:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 14 Jan 2018 15:09:08 GMT) (full text, mbox, link).
Message #10 received at 867712-close@bugs.debian.org (full text, mbox, reply):
Source: lucene-solr
Source-Version: 3.6.2+dfsg-11
We believe that the bug you reported is fixed in the latest version of
lucene-solr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated lucene-solr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Jan 2018 14:32:32 +0100
Source: lucene-solr
Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty
Architecture: source
Version: 3.6.2+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
liblucene3-contrib-java - Full-text search engine library for Java - additional libraries
liblucene3-java - Full-text search engine library for Java - core library
liblucene3-java-doc - Documentation for Lucene
libsolr-java - Enterprise search server based on Lucene - Java libraries
solr-common - Enterprise search server based on Lucene3 - common files
solr-jetty - Enterprise search server based on Lucene3 - Jetty integration
solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration
Closes: 867712
Changes:
lucene-solr (3.6.2+dfsg-11) unstable; urgency=medium
.
* Team upload.
* Switch to compat level 11.
* Declare compliance with Debian Policy 4.1.3.
* Fix CVE-2017-12629: possible remote code execution by exploiting XXE. For
security reasons the RunExecutableListener class was permanently removed.
* Fix CVE-2017-3163: path traversal vulnerability. (Closes: #867712)
Checksums-Sha1:
12dca481fffa95ab04b6f39ee8275e7f8cb281a4 3380 lucene-solr_3.6.2+dfsg-11.dsc
71eb042fc1c9bb6cd57e91c3834cfceb5399d88d 51624 lucene-solr_3.6.2+dfsg-11.debian.tar.xz
2713a150ca8856ee927918ef8c36c2a137a3ebfa 14997 lucene-solr_3.6.2+dfsg-11_amd64.buildinfo
Checksums-Sha256:
1633a7b8e969e87984198c9acf3f37c98f6b0935e01ab3fbee56f20c70b44060 3380 lucene-solr_3.6.2+dfsg-11.dsc
0191cc435265bbc1da522f5e273367e7992ed838338f7fa6722f5e211be40022 51624 lucene-solr_3.6.2+dfsg-11.debian.tar.xz
cfe96258c20c7e1b5f174cf836a3c1a0071d68139a545670529e062d4dd9604b 14997 lucene-solr_3.6.2+dfsg-11_amd64.buildinfo
Files:
a4e40a8c102363aebf7043ba7d84fe2e 3380 java optional lucene-solr_3.6.2+dfsg-11.dsc
2539bbb9c0c790b07436ad1180c41ea9 51624 java optional lucene-solr_3.6.2+dfsg-11.debian.tar.xz
19a1337d202c37a907aecb5d4a4c2e85 14997 java optional lucene-solr_3.6.2+dfsg-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpbaOxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkIVIP/A2PoeymkiYXBRLvwWI+CJr/rLDankrCGMLs
n8yDBvOeXjLgY4Hm0EUp/xlHaCBDy+/L+ZUaO1MrCm+hsSZgxwIQ9DSMiCQpNgx4
jwuSCpEy4D6rnrdl5enTQiUqZnWwn+tepobAtdmvAslph84yXIWGGpPRr4xR2oKw
Sw+DEFeY6UKFrW1R1WjMEczqKYOrnm/gRoHjW+qIjz9000T5BBLrWHNgwergnYzM
BapTTOMkAXbNidEmDsqRSU5F6nWPqJcJsZBUByv/mx/AyvrUu5md8qEma1SbTq90
ldFV9it400ghXt+y0nGbYD9qlirpqUzlSNJuOkQGTWx0V/VA0wp0q1U2ADgK0KUU
VHXiDuBRgtNlX4nm0r5Pe2PvD7r5R+Wfnpo0ePAxZ9qu0tuP/rCbOIGILXRUnm6O
sewebDyZACSxZFUG3Jp2cP6L1uxfyPq3v+Y1j5UGG+v07t1G0NUSWtzJKb+NcYiB
Js/FY6odCsvtvo1oncfLAXK5cZxJ5phWnN3D0sR2IhOgyCkf4v7dtT4rhqSSsSIu
MWn0litvBHSoHaXO/F3vFI+IoFnG0930xIntPpgH45dpgz8FxpJBiJkvdZUDRi4P
UmZlOImyAub9VTt9qqRwuqO86+s7IFzJbSr4Iv7SCbVTENqc1vL2ZoNG4Rv3/V0o
rfWanFJJ
=AfrP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 17 Feb 2018 07:25:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.