Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

jackrabbit: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Related Vulnerabilities: CVE-2016-6801  

Source

Debian Bug report logs - #838204
jackrabbit: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

version graph

Package: src:jackrabbit; Maintainer for src:jackrabbit is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 18 Sep 2016 12:45:06 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version jackrabbit/2.3.6-1

Fixed in versions jackrabbit/2.3.6-1+deb8u2, jackrabbit/2.3.6-1+deb7u2, jackrabbit/2.12.4-1

Done: Markus Koschany <apo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#838204; Package src:jackrabbit. (Sun, 18 Sep 2016 12:45:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 18 Sep 2016 12:45:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jackrabbit: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type
Date: Sun, 18 Sep 2016 14:43:47 +0200
Source: jackrabbit
Version: 2.3.6-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for jackrabbit.

CVE-2016-6801[0]:
CSRF in Jackrabbit-Webdav using empty content-type

For the 2.12.x this has been fixed upstream in 2.12.3, cf. [1], and
there are patches for older branches as well.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6801
[1] https://marc.info/?l=oss-security&m=147386022804406&w=2

Regards,
Salvatore

Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Sun, 18 Sep 2016 16:39:23 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 18 Sep 2016 16:39:23 GMT) (full text, mbox, link).

Message #10 received at 838204-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 838204-close@bugs.debian.org
Subject: Bug#838204: fixed in jackrabbit 2.12.4-1
Date: Sun, 18 Sep 2016 16:38:22 +0000
Source: jackrabbit
Source-Version: 2.12.4-1

We believe that the bug you reported is fixed in the latest version of
jackrabbit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838204@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackrabbit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Sep 2016 00:14:03 +0200
Source: jackrabbit
Binary: libjackrabbit-java
Architecture: source
Version: 2.12.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackrabbit-java - content repository implementation (JCR API)
Closes: 838204
Changes:
 jackrabbit (2.12.4-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.12.4.
     - Fixes CVE-2016-6801. (Closes: #838204)
   * Use compat level 10.
   * Rebase patches to servlet-api.patch.
   * d/rules: Remove obsolete export for ANT_ARGS.
Checksums-Sha1:
 535a2386b140808ef3b8956209636b1df90f937c 2253 jackrabbit_2.12.4-1.dsc
 21a7137e0f3b1e8d855ab4e7f7a4f825fd3b0211 3395824 jackrabbit_2.12.4.orig.tar.xz
 88d2dca107a4a92baf363cf94e2432fce731ad1c 7200 jackrabbit_2.12.4-1.debian.tar.xz
Checksums-Sha256:
 6e34f96093fb4eaf8ebc6fc985002526cf41b0ac6f8d3216c0752b590a27130d 2253 jackrabbit_2.12.4-1.dsc
 a0ad05a8c62523985b124c0b4021a07c76057278b97b980e2236d9fe4becce85 3395824 jackrabbit_2.12.4.orig.tar.xz
 8a488d488ecda96f5c8d0aed570505e94a9b30f302ad3c12125e0b182c46220c 7200 jackrabbit_2.12.4-1.debian.tar.xz
Files:
 fd5c3f2fea7836d6f259fbb55d05770f 2253 java optional jackrabbit_2.12.4-1.dsc
 d037100dd0638db50cdd521c6a057233 3395824 java optional jackrabbit_2.12.4.orig.tar.xz
 abc94e486ac73e7755faeeebbad45ded 7200 java optional jackrabbit_2.12.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKMBAEBCgB2BQJX3p+UXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5DC1EADJ
iqElZBh4SELHO3nrln6GclEntaa0DVXZf5YUNBdA40U6Tl6sK1QDXKTCmVIkX4Hw
hCzba3mRpw1LMj2AQriAUglebIor0rOk9krli8tn811qsm3nr1IHvpmRGEO74WPa
Gm9bil+o29hptcH1R9usqvkbHZJKS/VlF8xDf2nkaCyX83BSfRPAcU/Avw0vKFOq
NCoYVAs9fiRVG26mUPh8kno3W3g2mpE4sz/dGVB+i63IZhd+DIoT+jnzP6DZUNw2
pOCURSrWVaIKfyg4El8nCikDwf19uG6CLizuG+DUQJiZAvnz+G5E4TcQ2NfmJ1nZ
sujEsSvSrr2oFwfgMIK0MVEW9MRisZe9z6xsxG4zrCS43+9GuJMzsN9oaUwVDJcv
tZJlWbDHJmnFzTXlhfmeV7NO20UJEym1EITp6wCoOI+hGCbw+ZL7GyTWE7emr4cQ
aLWKUjKTek4CukVVePEgvFL1G72Mbe1lIf/r6wGAuIfp1sCmnAlZfomk876Ub8vv
vkxcc4ut882CgV3z56+C6oxFOhj7yxFzt3cGzgNf606GjCTirPslgywFcdXqSFBe
N5znv/O3sojcrANY5jl3kJlmHDc2p2UvE5f6QGECrbV2k8gNwRa5IgrI8+sjj2Hp
eHfwrXp6QemZJbn/6YHUY2IcvglA0dg00ZHbX2dzOA==
=XJ6/
-----END PGP SIGNATURE-----

Marked as fixed in versions jackrabbit/2.3.6-1+deb7u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 18 Sep 2016 17:33:07 GMT) (full text, mbox, link).

Marked as fixed in versions jackrabbit/2.3.6-1+deb8u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 03 Oct 2016 08:21:02 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 Nov 2016 07:24:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:18:21 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started