CVE-2015-1833

Debian Bug report logs - #787316
CVE-2015-1833

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-1833

Date: Sun, 31 May 2015 12:06:29 +0200

Source: jackrabbit
Severity: grave
Tags: security

Hi,
please see https://issues.apache.org/jira/browse/JCR-3883

Cheers,
        Moritz

Message #14 received at 787316@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 787316@bugs.debian.org

Subject: Re: CVE-2015-1833

Date: Sat, 20 Jun 2015 21:42:37 +0200

[Message part 1 (text/plain, inline)]

Control: owner -1 !

On Sun, 31 May 2015 12:06:29 +0200 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Source: jackrabbit
> Severity: grave
> Tags: security
> 
> Hi,
> please see https://issues.apache.org/jira/browse/JCR-3883
> 

I will take care of this.

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #21 received at 787316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 787316-close@bugs.debian.org

Subject: Bug#787316: fixed in jackrabbit 2.10.1-1

Date: Mon, 22 Jun 2015 06:05:34 +0000

Source: jackrabbit
Source-Version: 2.10.1-1

We believe that the bug you reported is fixed in the latest version of
jackrabbit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 787316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated jackrabbit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Jun 2015 18:35:47 +0200
Source: jackrabbit
Binary: libjackrabbit-java
Architecture: source all
Version: 2.10.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libjackrabbit-java - content repository implementation (JCR API)
Closes: 787316
Changes:
 jackrabbit (2.10.1-1) unstable; urgency=high
 .
   * Team upload.
   * Imported Upstream version 2.10.1.
     - Fix CVE-2015-1833 (Closes: #787316)
       When processing a WebDAV request body containing XML, the XML parser can
       be instructed to read content from network resources accessible to the
       host, identified by URI schemes such as "http(s)" or "file". Depending on
       the WebDAV request, this can not only be used to trigger internal network
       requests, but might also be used to insert said content into the request,
       potentially exposing it to the attacker and others.
   * Update watch file and track upstream's stable releases.
   * Update get-orig-source-target. Download the current version.
   * Drop orig-tar.sh script. We use upstream's tarballs now.
   * Repack the orig tarball. Change compression from zip to tar.xz.
   * Remove maven.publishedRules. It is not needed.
   * Use compat level 9 and require debhelper >= 9.
   * Declare compliance with Debian Policy 3.9.6.
   * Use canonical Vcs fields.
   * wrap-and-sort -sa.
   * Drop modules.diff because we disable all modules except webdav in
     libjackrabbit.poms already.
   * Fix Format field. Add myself to debian/ copyright holders.
   * Use Files-Excluded mechanism to remove binary files.
   * Fix lintian warnings dep5-copyright-license-name-not-unique
     and comma-separated-files-in-dep5-copyright.
   * Drop build-classpath and fix Lintian warning about missing classpath for
     dependencies.
   * Use maven-debian-helper and Maven as build system. Drop all ant
     build-dependencies.
   * Add libmaven-bundle-plugin-java to Build-Depends.
   * Add maven.properties file and drop build.properties.
   * Drop maven.cleanIgnoreRules. It is unused.
Checksums-Sha1:
 51814d37c376b861660cacc78ab8ca9f2ef21a3b 2098 jackrabbit_2.10.1-1.dsc
 c7ff40a1be7954e4edd4c6c6d2f805c69f61943e 3345264 jackrabbit_2.10.1.orig.tar.xz
 f29153a246346535a7d6b09e905cea8a3783c2ad 6096 jackrabbit_2.10.1-1.debian.tar.xz
 2508d902131e816ed4d67a072b005a1d35ccc582 289970 libjackrabbit-java_2.10.1-1_all.deb
Checksums-Sha256:
 cb4ca30547ac3f3df640b84b33d8858bfc7a2aaad4f41edf06d8e18870f247f9 2098 jackrabbit_2.10.1-1.dsc
 3a34deacd79091f5c9ab4706b857c299adade711e8ab8b9d4d0db0ff226bc222 3345264 jackrabbit_2.10.1.orig.tar.xz
 1e6b08d5d3de258dca0abe2876507bb32d917e7e9cbe7ce853ef615fa58999f4 6096 jackrabbit_2.10.1-1.debian.tar.xz
 7444cf4782897faf61f3fe907836daae28bd2bce3417c26695148131b07f26ca 289970 libjackrabbit-java_2.10.1-1_all.deb
Files:
 37ff8fcfd6d4bfccc4946af52a98780a 2098 java optional jackrabbit_2.10.1-1.dsc
 302af20c7e8ab2be429dddff92f062ed 3345264 java optional jackrabbit_2.10.1.orig.tar.xz
 fda82fd4a6b4c7e4ca1cb55113bd6df4 6096 java optional jackrabbit_2.10.1-1.debian.tar.xz
 9f4f2e8a2452fe645144cd255ef9d778 289970 java optional libjackrabbit-java_2.10.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVh6M/AAoJECHSBYmXSz6WOK0P/jG+Cmf5MwFooSBpfyLsqSaQ
06aw4WhDz2egRAp07fV6ypw6SvC7ftYmSo90/RnZ9bCwwVehpQC7OREW8GoQIgw9
+zegHS1AyVJkLSqbUyUJadSuyKQO0MfJCTRZhQwG4bVul1qSzUYb0XwOWcSU00jk
dvR6QbmB1Of4DFT3HCrklhnHe+i6P/vP9ouFhvx8Do3zNJPjGQBR52CxQ6LIlDUP
zdb/5r0NZbBnUQWnA2opdSCziuKhmmfEO/M2DzazoPExujDMvEgpbQBcHnzT3RXp
hXOVu2JEnAjdTJN4tUbaOqUrPimjS4BDyDfHJ8LnENuCzwLzEXEyYxW4zSwaHV2E
dj0hbHEr11iHWBPd6Mnt5sCIF1SixGGLyEGWwH+3whWjCUrsC3AR8rY4+gxp5tZJ
2oO9pViOfWEVUBpWWkpRKHWuCMUBntg8HEJVYwfBBKY3xvna6FA4nacgJCBvAaur
BaA4nt9+IXg3FXHej4qH61zKbmxxBechTfFWurhu6QEH9HP5AybtIwagVike32/N
K1ys4lcUKjz23c5+zl5ERdJ/qPzH86Q0uHCsWZD/rw7CRLVLXvYsmLRWAALHiXNk
7IDDhfg/COdHTIfKM0kAcacnAbgUoWtmnma0do9VFxIITqdikj6xN7aNFYnRIaw9
/emVZl9FeGGw+hGV0f1k
=nAel
-----END PGP SIGNATURE-----

Message #26 received at 787316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 787316-close@bugs.debian.org

Subject: Bug#787316: fixed in jackrabbit 2.3.6-1+deb8u1

Date: Sat, 04 Jul 2015 18:17:05 +0000

Source: jackrabbit
Source-Version: 2.3.6-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
jackrabbit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 787316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated jackrabbit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jun 2015 18:47:39 +0200
Source: jackrabbit
Binary: libjackrabbit-java
Architecture: source all
Version: 2.3.6-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libjackrabbit-java - content repository implementation (JCR API)
Closes: 787316
Changes:
 jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium
 .
   * Team upload.
   * Add CVE-2015-1833.patch.
     Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
     When processing a WebDAV request body containing XML, the XML parser can be
     instructed to read content from network resources accessible to the host,
     identified by URI schemes such as "http(s)" or "file". Depending on the
     WebDAV request, this can not only be used to trigger internal network
     requests, but might also be used to insert said content into the request,
     potentially exposing it to the attacker and others. (Closes: #787316)
Checksums-Sha1:
 9dcb772c37f313807a6b9cc6cb723d288b0750fd 2123 jackrabbit_2.3.6-1+deb8u1.dsc
 39f44b04d599d58b0b473c42155bdfd78ea447fd 4028196 jackrabbit_2.3.6.orig.tar.gz
 0adb5c15045feb02c2ca686b6a544088ce98788e 8956 jackrabbit_2.3.6-1+deb8u1.debian.tar.xz
 9e45e48db993af3bd8a1015d1fe021afffd87fbc 274976 libjackrabbit-java_2.3.6-1+deb8u1_all.deb
Checksums-Sha256:
 dd8b68e4277b475f819f47051371f69210a350356ff52e107cf71aa516902862 2123 jackrabbit_2.3.6-1+deb8u1.dsc
 1e91f2e985899464d51e5b89170efbb9aa844c88fdee4e1d8b40ef6aba1faf99 4028196 jackrabbit_2.3.6.orig.tar.gz
 e28223fb81e3999b606869b86e9b812ab3ab57e23da03e3976c140c13d3ca88a 8956 jackrabbit_2.3.6-1+deb8u1.debian.tar.xz
 c4d65df9f00524fd95490a141d3f8100d763433f3187bee5f7929a3100a6d625 274976 libjackrabbit-java_2.3.6-1+deb8u1_all.deb
Files:
 d7b1c18accc0f3c7a940e420de1c25b7 2123 java optional jackrabbit_2.3.6-1+deb8u1.dsc
 d8e2f739dd7d3577c9ba5f97e7f5d245 4028196 java optional jackrabbit_2.3.6.orig.tar.gz
 2f336de6954ec4a8f51eb74a47763a52 8956 java optional jackrabbit_2.3.6-1+deb8u1.debian.tar.xz
 8d53a1fb3e8e574d2cfc711d161b3263 274976 java optional libjackrabbit-java_2.3.6-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVkIrXAAoJECHSBYmXSz6WRGAP/j9ZNIGoCil1DiQ2lVpr1XJX
fSybctkThlNjVB27pHs5IttTSk1PqY4O0LjDpUiDfFGZ7zunJ6jFFRcpnNWMC/E0
LpO/raFOxP2TbWtV8JTd7p27zz5CZ0/7gs2+VfGMSZV69SSlLExHxlmY3Ex0l7S8
6LIdKCeFzcQy+OnIev7XohTyIsNzddqRRzOjolAEOcs/X6YPDz1HNX0CGkFF6gRp
XNnivkIPY5wKMrq08BOWGZx1KiZbS/1Q4FNaF5oPuWydtvBegdU0VIYX1anrFS15
tHO/bw4m1PsulaPOhtb/P33SyPBdhx3GlzAWFTGORScZJ/H/Ws7ZlHv1MpgS2fUt
Mp9mO4iKBlFMLvoguqhncTxbfd4jpvj/ngYHozUCy3PD9VK+DYP+CkQJvIgwTc7Y
qaPx6eZAvgzl4NNTb6B1dAe0L/nr0VWncvvJdmAyqtbVO7josVbEFhK1s1n2wd+u
u9jPRlVlgz2ohn1m79vE02US1w7O2mfqQhs/qx40kw4Y8i2INNDQqzfZSZq+FgNS
ZVB56fZMyC9TzgkiJ+9nb9PVOCYM8Gtm8ZBXP3/V1dHroxFnLpqvn4vO5BYblDTz
cd/GzKzqCxuiGvuRe2iQEbrppg6uwrf8pDP5OzvYGQKQ3QxXePOcfvSuzdU9ZEUy
EOT/6dKdCwY96Vvl5yBX
=i46e
-----END PGP SIGNATURE-----

Message #31 received at 787316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 787316-close@bugs.debian.org

Subject: Bug#787316: fixed in jackrabbit 2.3.6-1+deb7u1

Date: Sun, 05 Jul 2015 18:47:54 +0000

Source: jackrabbit
Source-Version: 2.3.6-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
jackrabbit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 787316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated jackrabbit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jun 2015 18:52:02 +0200
Source: jackrabbit
Binary: libjackrabbit-java
Architecture: source all
Version: 2.3.6-1+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description: 
 libjackrabbit-java - content repository implementation (JCR API)
Closes: 787316
Changes: 
 jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium
 .
   * Team upload.
   * Add CVE-2015-1833.patch.
     Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
     When processing a WebDAV request body containing XML, the XML parser can be
     instructed to read content from network resources accessible to the host,
     identified by URI schemes such as "http(s)" or "file". Depending on the
     WebDAV request, this can not only be used to trigger internal network
     requests, but might also be used to insert said content into the request,
     potentially exposing it to the attacker and others. (Closes: #787316)
Checksums-Sha1: 
 fad6246bd64c030ef5ffc4620acc7ed7591e154d 2118 jackrabbit_2.3.6-1+deb7u1.dsc
 122f3d471b8d92eadb2600e7d982b38b032cbf00 9641 jackrabbit_2.3.6-1+deb7u1.debian.tar.gz
 e1fb78194b4f783525e5a8103a1ad1c58adca17d 279240 libjackrabbit-java_2.3.6-1+deb7u1_all.deb
Checksums-Sha256: 
 ea1949a187a3f635c41af3c29e1a1bf735110e757b198f54dbb1298a931ab94c 2118 jackrabbit_2.3.6-1+deb7u1.dsc
 1579beb4c33d854f195a583b3ae18d142ad40cc35a01d7f4c20626c29c82dcea 9641 jackrabbit_2.3.6-1+deb7u1.debian.tar.gz
 15db483a34e3d4e1c9768875d8ac2656fcbf8f25e835cbaab4301e5dcdc72df7 279240 libjackrabbit-java_2.3.6-1+deb7u1_all.deb
Files: 
 f0d99d2853b7726303974320ca1cbc39 2118 java optional jackrabbit_2.3.6-1+deb7u1.dsc
 5761b3c3d9a0b4795aa91946ee47f75d 9641 java optional jackrabbit_2.3.6-1+deb7u1.debian.tar.gz
 cc028d0c3f3982462756c0ad5803f3bc 279240 java optional libjackrabbit-java_2.3.6-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVkIzzAAoJECHSBYmXSz6WD1wP/1tIcC3IhQx1WWto3Sq7Gw4j
k/pNeFwYKX5adQ+ztbidaYDCuepVnANSyJ0r6qqS6Vl+MeCkaLma3GNf6L8XXGKu
jcLwDMp856EPkoZqytZeuOeUST+kbx0Typbja7GJBdPhFyyfm1nsuZcCK24tcj97
zZXDE2jGhiSgex9RPRzCQIc3FxauZHz/ULRHzNM+7wLd20U/xSpNmmftO0vOirMS
4yyLYVYA1dNJOGLbZnBszIk585/iDsXVq0wlZhIJlkYPSi9lVmg4kSWV1JlitjWq
maIM1c3VE1LQlw2Wp37Xob+ZZspLlkQFd4D2H7j51vBxJT7J1yXLi37SqNMqryin
2pmk2REiUx/eqW7NZ0x6iHdmD5iQ/2JgGOS0wGOfLG/wINei1IDeTZqy/yNIZME/
yJa5UtE6vd2Xwxt4lSeaqWKDR0eO1Ds8NsuDOUzkp+IsOxkdGOYa/ZXS5zyRgpD0
C7yDgxPD7oadjVB9etPwqzjLxtIWe5QI1C4vrz1cO3Pq0hHS7CLQU4fBRHjGCJGk
0B+4+8pMljIRrDPLTfpMEOwylsDF8g7U1m7N8Vgq2eeHJm0pW/PWaZ55owFWarPs
nIWMXYpdUkZ/Xtr5CTxvmQRoGVJpHM3SKlT0rWeyRwySB4TzV/5bwylvZrol5E8D
HBeL2QPe0ydGs0bnd0um
=wcW4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.