RFS: jackrabbit 2.10.1-1 [RC]

Sun, 21 Jun 2015 12:30:25 -0700 

Hi all,

I am looking for someone who is interested in uploading jackrabbit and
fixing #787316.

Packaging the latest upstream release was sufficient. We only build the
jackrabbit-webdav module which is needed for wagon2 but of course only
this module is affected by the vulnerability. I intend to prepare fixes
for Jessie and Wheezy too but I am unsure about the severity of this
issue. Any ideas how I can test/verify the patches in the wagon2 context?

https://anonscm.debian.org/cgit/pkg-java/jackrabbit.git


Changelog for unstable:

jackrabbit (2.10.1-1) unstable; urgency=high

  * Team upload.
  * Imported Upstream version 2.10.1.
    - Fix CVE-2015-1833 (Closes: #787316)
      When processing a WebDAV request body containing XML, the XML
      parser can be instructed to read content from network resources
      accessible to the host, identified by URI schemes such as
      "http(s)" or "file". Depending on the WebDAV request, this can
      not only be used to trigger internal network requests, but might
      also be used to insert said content into the request,
      potentially exposing it to the attacker and others.
  * Update watch file and track upstream's stable releases.
  * Update get-orig-source-target. Download the current version.
  * Drop orig-tar.sh script. We use upstream's tarballs now.
  * Repack the orig tarball. Change compression from zip to tar.xz.
  * Remove maven.publishedRules. It is not needed.
  * Use compat level 9 and require debhelper >= 9.
  * Declare compliance with Debian Policy 3.9.6.
  * Use canonical Vcs fields.
  * wrap-and-sort -sa.
  * Drop modules.diff because we disable all modules except webdav in
    libjackrabbit.poms already.
  * Fix Format field. Add myself to debian/ copyright holders.
  * Use Files-Excluded mechanism to remove binary files.
  * Fix lintian warnings dep5-copyright-license-name-not-unique
    and comma-separated-files-in-dep5-copyright.
  * Drop build-classpath and fix Lintian warning about missing
    classpath for dependencies.
  * Use maven-debian-helper and Maven as build system. Drop all ant
    build-dependencies.
  * Add libmaven-bundle-plugin-java to Build-Depends.
  * Add maven.properties file and drop build.properties.


Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to