Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408 CVE-2012-6612

Source

Debian Bug report logs - #731113
lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Package: lucene-solr; Maintainer for lucene-solr is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 2 Dec 2013 09:06:02 UTC

Severity: grave

Tags: security

Fixed in version lucene-solr/3.6.2+dfsg-2

Done: James Page <james.page@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#731113; Package lucene-solr. (Mon, 02 Dec 2013 09:06:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 02 Dec 2013 09:06:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: lucene-solr
Severity: grave
Tags: security
Justification: user security hole

CVE-2013-6397:
https://issues.apache.org/jira/browse/SOLR-4882

CVE-2013-6407:
https://issues.apache.org/jira/browse/SOLR-3895

CVE-2013-6408:
https://issues.apache.org/jira/browse/SOLR-4881

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#731113; Package lucene-solr. (Wed, 11 Dec 2013 12:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 11 Dec 2013 12:12:05 GMT) (full text, mbox, link).

Message #10 received at 731113@bugs.debian.org (full text, mbox, reply):

On Mon, Dec 02, 2013 at 09:56:04AM +0100, Moritz Muehlenhoff wrote:

> CVE-2013-6407:
> https://issues.apache.org/jira/browse/SOLR-3895

An additional CVE ID has been assigned to this issue: CVE-2012-6612
 
Cheers,
       Moritz

Reply sent to James Page <james.page@ubuntu.com>:
You have taken responsibility. (Sun, 15 Dec 2013 09:21:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 15 Dec 2013 09:21:05 GMT) (full text, mbox, link).

Message #15 received at 731113-close@bugs.debian.org (full text, mbox, reply):

Source: lucene-solr
Source-Version: 3.6.2+dfsg-2

We believe that the bug you reported is fixed in the latest version of
lucene-solr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731113@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <james.page@ubuntu.com> (supplier of updated lucene-solr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Dec 2013 22:07:54 +0000
Source: lucene-solr
Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty
Architecture: source all
Version: 3.6.2+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: James Page <james.page@ubuntu.com>
Description: 
 liblucene3-contrib-java - Full-text search engine library for Java - additional libraries
 liblucene3-java - Full-text search engine library for Java - core library
 liblucene3-java-doc - Documentation for Lucene
 libsolr-java - Enterprise search server based on Lucene - Java libraries
 solr-common - Enterprise search server based on Lucene3 - common files
 solr-jetty - Enterprise search server based on Lucene3 - Jetty integration
 solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration
Closes: 731113
Changes: 
 lucene-solr (3.6.2+dfsg-2) unstable; urgency=low
 .
   * Fixes for new security vulnerabilities (Closes: #731113):
     - debian/patches/CVE-2013-6397.patch:
       Fix DocumentAnalysisRequestHandler to correctly use
       EmptyEntityResolver to prevent loading of external entities like
       UpdateRequestHandler does.
       CVE-2013-6397
     - debian/patches/CVE-2013-6407_CVE-2013-6408.patch:
       XML and XSLT UpdateRequestHandler should not try to
       resolve external entities. This improves speed of loading e.g.
       XSL-transformed XHTML documents.
       CVE-2013-6407
       Fix XML parsing in XPathEntityProcessor to correctly
       expand named entities, but ignore external entities.
       CVE-2013-6408
Checksums-Sha1: 
 3bb97aa2ab9029ed82caded871708caf966494d4 3136 lucene-solr_3.6.2+dfsg-2.dsc
 9af68d38d1da28e47551390e8a2bf0f4d23fb765 53822 lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 4de2ca66d7df2dbfaff08f7290332c42540371e8 1502040 liblucene3-java_3.6.2+dfsg-2_all.deb
 b79d64a050ee003bd02b3964c3e94e788f96f84f 10895818 liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 2c8ae68faa8302b3f61c7b9b5b1ff011af0ea545 4777008 liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 384080dbd2370518958e26232dc12519ee4511d5 1964328 libsolr-java_3.6.2+dfsg-2_all.deb
 9aec0726d29d8b68af6b8cca2632cc028e7f757f 143552 solr-common_3.6.2+dfsg-2_all.deb
 b3a7ce1968cbbbc5d240fae497b95bc2de3b4ce1 8090 solr-tomcat_3.6.2+dfsg-2_all.deb
 d7263beceead47070d6b7c8a4ac62bc03ea49c37 7690 solr-jetty_3.6.2+dfsg-2_all.deb
Checksums-Sha256: 
 993bc404a1670b9785c98456f9fa11067646a9f1b7514c60ad957054884b7d17 3136 lucene-solr_3.6.2+dfsg-2.dsc
 18e876daca284a21608bd35cd05de4578459ba6c5da37529ec3e812ad608cc0e 53822 lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 f17ff81bbed55fbba2ba6bb07c964233528d7c577a5c3a25861526c7023cf7ab 1502040 liblucene3-java_3.6.2+dfsg-2_all.deb
 cb9562ec8034d1537eac81d8e78db928e73d9e5c2d64f3774bd23b326a5b89e7 10895818 liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 8169fc4b5450963dc84c9bf4264bb38866f4eae0967e757fdc198b1464478fef 4777008 liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 fc792a1edd451752a4474df48219a46af9305184d394a1f0707614c36d09550a 1964328 libsolr-java_3.6.2+dfsg-2_all.deb
 efd01741e7c69f2f2db8eed398d3c8729607d66d4b69b977f28b8a0f3d3c4733 143552 solr-common_3.6.2+dfsg-2_all.deb
 aa52a316ff4089834051d50103d89eec842a4bfc7f2f6aa4358c5cc2c30d8fcf 8090 solr-tomcat_3.6.2+dfsg-2_all.deb
 4cdfa3cb4fc333c0dfd7ef494937aec9b73d2af1aaec85a8c13ad771a22036cb 7690 solr-jetty_3.6.2+dfsg-2_all.deb
Files: 
 ccd3e0c50405d05d32b6797a2ea0bf2d 3136 java optional lucene-solr_3.6.2+dfsg-2.dsc
 ede0c32704012aef3a7b5d4867e4589f 53822 java optional lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 67f00843d3411ccac75a644a86f56d71 1502040 java optional liblucene3-java_3.6.2+dfsg-2_all.deb
 909e980896c1be36dcef01b3da43d29b 10895818 java optional liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 96e73a79c67653e211ad0937b13b4a46 4777008 doc optional liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 ed03727afb5f451331433f8d7c3ba57f 1964328 java optional libsolr-java_3.6.2+dfsg-2_all.deb
 795f96a3b210e8b6aea2a1d870f33122 143552 java optional solr-common_3.6.2+dfsg-2_all.deb
 8f278760e615aa55219ace165979142d 8090 java optional solr-tomcat_3.6.2+dfsg-2_all.deb
 fd8efb225e74ac047e21ee7510cd5327 7690 java optional solr-jetty_3.6.2+dfsg-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSrW7XAAoJEL/srsug59jD27AP/3fANcRYN6lzQ9lllqIxIoFr
tM9UFbqvRmyfWShJn4tLUxFmfHdpY6uFXbKdFLwcBaYCEPp1i6ZDoj95ofpzKfHZ
bf5W/oqcwlPdMxK5sXjKp7pZccb5mwbJ6MoeDWzfJ1OoZXYqEqJ+5ixI8kNnELlS
3VPTlZrpWzY//aDuZjNfnKVK+3+PrQRRBWMb4Q5UiNvFYWmdw05NX20wV2Qq+30q
UL16BDoX6FYzRdHF3hog28r/c/jenRulqn+tew0KqStPLDhbpzdayN2HCYFH+k+M
+gVnP1rst6it8Tg4sPLrIhZPkIEAO/cj0mTGEBeu3lTzHmqdFQLZuINvOOham+rt
cbyKUp1OU/phpI/yEuCMqVVVCQM/geAIp28RnJBPBOV+9M40RiacBW19cL+VzWeY
cIUSSdpzENsGsAENO7lUnjCTLcJsOLIshCpRcb4kjyCQW8IRrJWawTSsoMGAxDnF
hy7bxx8sGEm/8kJvmw8YEzXTvdDYU2IN1vBseVuZK0aH/WCglh7t4L1Uv9txihHD
Bf+2MsQFAGOPl5EJB0uc0zoK+l78Z9NK4/UCCzwyWN+5ekQurOrHxkuWY7WEjrC9
iuGYnI/gzojbOrbXSrxVSP2fnArqMAQm4vyK40IHV9ME2nMRwkcxwMCehN56azTt
1ddPAHepGXZBbhojK2LJ
=O1WS
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 14 Jul 2014 07:26:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:24:50 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Debian Bug report logs - #731113
lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Vulmon Search

About

Products

Connect

lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Debian Bug report logs - #731113 lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Vulmon Search

About

Products

Connect

Debian Bug report logs - #731113
lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408