uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack exposure

Debian Bug report logs - #897009
uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack exposure

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: uimaj: CVE-2017-15691: XML external entity expansion (XXE) attack exposure

Date: Fri, 27 Apr 2018 06:04:15 +0200

Source: uimaj
Version: 2.4.0-2
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for uimaj, filling for now
with RC severity.

CVE-2017-15691[0]:
| In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to
| 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to
| 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to
| an XML external entity expansion (XXE) capability of various XML
| parsers. UIMA as part of its configuration and operation may read XML
| from various sources, which could be tainted in ways to cause
| inadvertent disclosure of local files or other internal content.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15691
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15691
[1] https://uima.apache.org/security_report#CVE-2017-15691

Regards,
Salvatore

Message #10 received at 897009-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 897009-close@bugs.debian.org

Subject: Bug#897009: fixed in uimaj 2.10.2-1

Date: Tue, 30 Oct 2018 10:06:29 +0000

Source: uimaj
Source-Version: 2.10.2-1

We believe that the bug you reported is fixed in the latest version of
uimaj, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated uimaj package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Oct 2018 10:43:18 +0100
Source: uimaj
Binary: libuima-core-java libuima-vinci-java libuima-adapter-soap-java libuima-adapter-vinci-java libuima-cpe-java libuima-document-annotation-java libuima-tools-java uima-utils uima-examples uima-doc
Architecture: source
Version: 2.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libuima-adapter-soap-java - Library to provide SOAP web services within UIMA
 libuima-adapter-vinci-java - Library to provide Vinci web services within UIMA
 libuima-core-java - Core library for the UIMA framework
 libuima-cpe-java - Library for the UIMA Collection Processing Engine
 libuima-document-annotation-java - Library for the UIMA document annotation
 libuima-tools-java - UIMA library for the UIMA tools
 libuima-vinci-java - Library to handle Vinci web service protocol
 uima-doc   - Documentation for the Apache UIMA framework
 uima-examples - Examples of UIMA components
 uima-utils - UIMA tools
Closes: 897009 912268
Changes:
 uimaj (2.10.2-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Refreshed the patches
     - Fixes CVE-2017-15691: XML external entity expansion (XXE) attack exposure
       (Closes: #897009)
   * Fixed the build failure with Java 11 (Closes: #912268)
   * Standards-Version updated to 4.2.1
   * Use salsa.debian.org Vcs-* URLs
   * Removed the debian/orig-tar.sh script
Checksums-Sha1:
 aaee8b5325465a6402e620e7a43cc3b39897d34f 3105 uimaj_2.10.2-1.dsc
 10a352a25c2bee449b9dca77f6585d53ab5b2a50 8813808 uimaj_2.10.2.orig.tar.xz
 eb23d18c7300fe169e7c53154c483267bcab8e0b 18816 uimaj_2.10.2-1.debian.tar.xz
 0d3fe8a0155bd4920b9d3d75b7febc7edc5fe973 14661 uimaj_2.10.2-1_source.buildinfo
Checksums-Sha256:
 507455f77d5e81c992f82a190d1428eba83ae2a8c4fe4c428f90ed5a38d6a0d2 3105 uimaj_2.10.2-1.dsc
 174e2e129e8dde3a0953be874453c6ff67bf722bcb31db10151e13bdec5599ad 8813808 uimaj_2.10.2.orig.tar.xz
 c30e22fc0608acc1ed40e33699c8fc9ac9f56368dc24327f0896ed674f55e001 18816 uimaj_2.10.2-1.debian.tar.xz
 7fc5e69efff0bcbc2b2de9148006faacc540786a57e5c6de9ed228db06977cc8 14661 uimaj_2.10.2-1_source.buildinfo
Files:
 b477ad68f0ead60e73b825febde8d8c5 3105 java optional uimaj_2.10.2-1.dsc
 53abdc2ee39f34889105bba54c73f3f5 8813808 java optional uimaj_2.10.2.orig.tar.xz
 7200f29b125eb7a3dc20006acf9bc1de 18816 java optional uimaj_2.10.2-1.debian.tar.xz
 04a5126f2d6e2dedf036faf30796763e 14661 java optional uimaj_2.10.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlvYKegSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsjfEQAIIMRPS/u9JG/9rsg9mzqUQt5amzNT/Q
BSPNkmbEe2jelbAy3KrhE+Rp/UYqE7XMrew9HCqHeyutEBlhPfbO6+xcXpka2GbL
gi1g/8NS6a4P1tilZFpBNfOeuXWEAtpKimMlTKHZYGAhVCmIi8tDOs9U0h7WdI2E
Cv8JZyicfk5RuqkLrP4tfHQLlDqIOPmnFGsJsePjZ7LffkjiirK77PdzSs6XRu6Q
B3gt7C9EnLYE6cigtzggGPtiC/8qOe28u7vXAK1V2rZW1RWTuV7Z2Wli7lwiNDxl
XFtOaFgN5YDf1IUFWBfi82cbzfZXRMx+6WmCTm1ChY9t7e0lvHVBJ1qe2zpEX+34
woYIg/iHt0Jf69Ud4hTZTQBsPRSBIeLOs2camV/+jjfhd+4CFQozU7DshDuQym8s
018fkVR3H2tdS+hp1tgi0HEwCCNB8h8vhsb6cX/DN+1hMHcMag9wQkZTXZbi8aWX
D0lEBmw0jm8Mp7Hohf/zVnyNslFzgbfQZMtnF3zs99cy1SLZsjgpoFTIh41X58dc
N2E5AWdqvjKyE5TQyeCQzfrjnbx9VEhBZVNLGxb5juJwyRVEc2BISuNhwKzTPtrT
2ynLdibAA8pDYFGAEloV7D6Su6XatATk+fmU2EdKdLJKZa0hFxq7aIgomlsG+15S
/G1y8ASjHVzZ
=WDPw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.