Your message dated Sun, 05 Jul 2015 18:47:54 +0000 with message-id <e1zboxg-00079w...@franck.debian.org> and subject line Bug#787316: fixed in jackrabbit 2.3.6-1+deb7u1 has caused the Debian Bug report #787316, regarding CVE-2015-1833 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 787316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackrabbit Severity: grave Tags: security Hi, please see https://issues.apache.org/jira/browse/JCR-3883 Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: jackrabbit Source-Version: 2.3.6-1+deb7u1 We believe that the bug you reported is fixed in the latest version of jackrabbit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 787...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated jackrabbit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 25 Jun 2015 18:52:02 +0200 Source: jackrabbit Binary: libjackrabbit-java Architecture: source all Version: 2.3.6-1+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libjackrabbit-java - content repository implementation (JCR API) Closes: 787316 Changes: jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) Checksums-Sha1: fad6246bd64c030ef5ffc4620acc7ed7591e154d 2118 jackrabbit_2.3.6-1+deb7u1.dsc 122f3d471b8d92eadb2600e7d982b38b032cbf00 9641 jackrabbit_2.3.6-1+deb7u1.debian.tar.gz e1fb78194b4f783525e5a8103a1ad1c58adca17d 279240 libjackrabbit-java_2.3.6-1+deb7u1_all.deb Checksums-Sha256: ea1949a187a3f635c41af3c29e1a1bf735110e757b198f54dbb1298a931ab94c 2118 jackrabbit_2.3.6-1+deb7u1.dsc 1579beb4c33d854f195a583b3ae18d142ad40cc35a01d7f4c20626c29c82dcea 9641 jackrabbit_2.3.6-1+deb7u1.debian.tar.gz 15db483a34e3d4e1c9768875d8ac2656fcbf8f25e835cbaab4301e5dcdc72df7 279240 libjackrabbit-java_2.3.6-1+deb7u1_all.deb Files: f0d99d2853b7726303974320ca1cbc39 2118 java optional jackrabbit_2.3.6-1+deb7u1.dsc 5761b3c3d9a0b4795aa91946ee47f75d 9641 java optional jackrabbit_2.3.6-1+deb7u1.debian.tar.gz cc028d0c3f3982462756c0ad5803f3bc 279240 java optional libjackrabbit-java_2.3.6-1+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVkIzzAAoJECHSBYmXSz6WD1wP/1tIcC3IhQx1WWto3Sq7Gw4j k/pNeFwYKX5adQ+ztbidaYDCuepVnANSyJ0r6qqS6Vl+MeCkaLma3GNf6L8XXGKu jcLwDMp856EPkoZqytZeuOeUST+kbx0Typbja7GJBdPhFyyfm1nsuZcCK24tcj97 zZXDE2jGhiSgex9RPRzCQIc3FxauZHz/ULRHzNM+7wLd20U/xSpNmmftO0vOirMS 4yyLYVYA1dNJOGLbZnBszIk585/iDsXVq0wlZhIJlkYPSi9lVmg4kSWV1JlitjWq maIM1c3VE1LQlw2Wp37Xob+ZZspLlkQFd4D2H7j51vBxJT7J1yXLi37SqNMqryin 2pmk2REiUx/eqW7NZ0x6iHdmD5iQ/2JgGOS0wGOfLG/wINei1IDeTZqy/yNIZME/ yJa5UtE6vd2Xwxt4lSeaqWKDR0eO1Ds8NsuDOUzkp+IsOxkdGOYa/ZXS5zyRgpD0 C7yDgxPD7oadjVB9etPwqzjLxtIWe5QI1C4vrz1cO3Pq0hHS7CLQU4fBRHjGCJGk 0B+4+8pMljIRrDPLTfpMEOwylsDF8g7U1m7N8Vgq2eeHJm0pW/PWaZ55owFWarPs nIWMXYpdUkZ/Xtr5CTxvmQRoGVJpHM3SKlT0rWeyRwySB4TzV/5bwylvZrol5E8D HBeL2QPe0ydGs0bnd0um =wcW4 -----END PGP SIGNATURE-----
--- End Message ---
