lucene-solr: CVE-2017-3163

Debian Bug report logs - #867712
lucene-solr: CVE-2017-3163

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lucene-solr: CVE-2017-3163

Date: Sat, 08 Jul 2017 22:43:04 +0200

Source: lucene-solr
Version: 3.6.2+dfsg-5
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/SOLR-10031

Hi,

the following vulnerability was published for lucene-solr.

CVE-2017-3163[0]:
No description was found (try on a search engine)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3163
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
[1] https://issues.apache.org/jira/browse/SOLR-10031

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

p.s.: Out of interest, but I do not know the background, is there a
      reason in Debian lucene-solr never was updated to newer 4.x, 5,x,
      6.x versions?

Message #10 received at 867712-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 867712-close@bugs.debian.org

Subject: Bug#867712: fixed in lucene-solr 3.6.2+dfsg-11

Date: Sun, 14 Jan 2018 15:05:30 +0000

Source: lucene-solr
Source-Version: 3.6.2+dfsg-11

We believe that the bug you reported is fixed in the latest version of
lucene-solr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated lucene-solr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Jan 2018 14:32:32 +0100
Source: lucene-solr
Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty
Architecture: source
Version: 3.6.2+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblucene3-contrib-java - Full-text search engine library for Java - additional libraries
 liblucene3-java - Full-text search engine library for Java - core library
 liblucene3-java-doc - Documentation for Lucene
 libsolr-java - Enterprise search server based on Lucene - Java libraries
 solr-common - Enterprise search server based on Lucene3 - common files
 solr-jetty - Enterprise search server based on Lucene3 - Jetty integration
 solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration
Closes: 867712
Changes:
 lucene-solr (3.6.2+dfsg-11) unstable; urgency=medium
 .
   * Team upload.
   * Switch to compat level 11.
   * Declare compliance with Debian Policy 4.1.3.
   * Fix CVE-2017-12629: possible remote code execution by exploiting XXE. For
     security reasons the RunExecutableListener class was permanently removed.
   * Fix CVE-2017-3163: path traversal vulnerability. (Closes: #867712)
Checksums-Sha1:
 12dca481fffa95ab04b6f39ee8275e7f8cb281a4 3380 lucene-solr_3.6.2+dfsg-11.dsc
 71eb042fc1c9bb6cd57e91c3834cfceb5399d88d 51624 lucene-solr_3.6.2+dfsg-11.debian.tar.xz
 2713a150ca8856ee927918ef8c36c2a137a3ebfa 14997 lucene-solr_3.6.2+dfsg-11_amd64.buildinfo
Checksums-Sha256:
 1633a7b8e969e87984198c9acf3f37c98f6b0935e01ab3fbee56f20c70b44060 3380 lucene-solr_3.6.2+dfsg-11.dsc
 0191cc435265bbc1da522f5e273367e7992ed838338f7fa6722f5e211be40022 51624 lucene-solr_3.6.2+dfsg-11.debian.tar.xz
 cfe96258c20c7e1b5f174cf836a3c1a0071d68139a545670529e062d4dd9604b 14997 lucene-solr_3.6.2+dfsg-11_amd64.buildinfo
Files:
 a4e40a8c102363aebf7043ba7d84fe2e 3380 java optional lucene-solr_3.6.2+dfsg-11.dsc
 2539bbb9c0c790b07436ad1180c41ea9 51624 java optional lucene-solr_3.6.2+dfsg-11.debian.tar.xz
 19a1337d202c37a907aecb5d4a4c2e85 14997 java optional lucene-solr_3.6.2+dfsg-11_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpbaOxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkIVIP/A2PoeymkiYXBRLvwWI+CJr/rLDankrCGMLs
n8yDBvOeXjLgY4Hm0EUp/xlHaCBDy+/L+ZUaO1MrCm+hsSZgxwIQ9DSMiCQpNgx4
jwuSCpEy4D6rnrdl5enTQiUqZnWwn+tepobAtdmvAslph84yXIWGGpPRr4xR2oKw
Sw+DEFeY6UKFrW1R1WjMEczqKYOrnm/gRoHjW+qIjz9000T5BBLrWHNgwergnYzM
BapTTOMkAXbNidEmDsqRSU5F6nWPqJcJsZBUByv/mx/AyvrUu5md8qEma1SbTq90
ldFV9it400ghXt+y0nGbYD9qlirpqUzlSNJuOkQGTWx0V/VA0wp0q1U2ADgK0KUU
VHXiDuBRgtNlX4nm0r5Pe2PvD7r5R+Wfnpo0ePAxZ9qu0tuP/rCbOIGILXRUnm6O
sewebDyZACSxZFUG3Jp2cP6L1uxfyPq3v+Y1j5UGG+v07t1G0NUSWtzJKb+NcYiB
Js/FY6odCsvtvo1oncfLAXK5cZxJ5phWnN3D0sR2IhOgyCkf4v7dtT4rhqSSsSIu
MWn0litvBHSoHaXO/F3vFI+IoFnG0930xIntPpgH45dpgz8FxpJBiJkvdZUDRi4P
UmZlOImyAub9VTt9qqRwuqO86+s7IFzJbSr4Iv7SCbVTENqc1vL2ZoNG4Rv3/V0o
rfWanFJJ
=AfrP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.