Your message dated Tue, 01 May 2018 22:35:37 +0000 with message-id <e1fdds1-0008sg...@fasolo.debian.org> and subject line Bug#896604: fixed in lucene-solr 3.6.2+dfsg-12 has caused the Debian Bug report #896604, regarding lucene-solr: CVE-2018-1308 XXE in DataImportHandler to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 896604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lucene-solr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lucene-solr. CVE-2018-1308[0]: | This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 | relates to an XML external entity expansion (XXE) in the | `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It | can be used as XXE using file/ftp/http protocols in order to read | arbitrary local files from the Solr server or the internal network. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308 Please adjust the affected versions in the BTS as needed. Regards, Markussignature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: lucene-solr Source-Version: 3.6.2+dfsg-12 We believe that the bug you reported is fixed in the latest version of lucene-solr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 896...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated lucene-solr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 May 2018 23:35:41 +0200 Source: lucene-solr Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty Architecture: source Version: 3.6.2+dfsg-12 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblucene3-contrib-java - Full-text search engine library for Java - additional libraries liblucene3-java - Full-text search engine library for Java - core library liblucene3-java-doc - Documentation for Lucene libsolr-java - Enterprise search server based on Lucene - Java libraries solr-common - Enterprise search server based on Lucene3 - common files solr-jetty - Enterprise search server based on Lucene3 - Jetty integration solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration Closes: 895797 896604 Changes: lucene-solr (3.6.2+dfsg-12) unstable; urgency=high . * Team upload. * Fix FTBFS with Ant 1.10. (Closes: #895797) * Fix CVE-2018-1308. (Closes: #896604) * Declare compliance with Debian Policy 4.1.4. Checksums-Sha1: 9885b6a90d5c4d76edb228828b7303d876ee4f2c 3380 lucene-solr_3.6.2+dfsg-12.dsc a8b7a55eef6a421f6f97aaa9e8b2a4c56dad6039 52856 lucene-solr_3.6.2+dfsg-12.debian.tar.xz f860e49b5200a34beff94ea006b0fa2ce4fe3085 15122 lucene-solr_3.6.2+dfsg-12_amd64.buildinfo Checksums-Sha256: f12df5419555270533f2937e3afddcbc39ce7d817f60ae0cbc894f1e362e951f 3380 lucene-solr_3.6.2+dfsg-12.dsc 3495d2304d18007a4692c684574f3673c6c6c7bfb82a35b05a90136563a8d7c4 52856 lucene-solr_3.6.2+dfsg-12.debian.tar.xz 6a0879395be64fda415226c28dd8ebad9364f14782dbb8c91f29a7bb2f715388 15122 lucene-solr_3.6.2+dfsg-12_amd64.buildinfo Files: b0f4b76b0a7bac31e4b5eca232b6d635 3380 java optional lucene-solr_3.6.2+dfsg-12.dsc b70e3a20280809b245632864d23deea0 52856 java optional lucene-solr_3.6.2+dfsg-12.debian.tar.xz 8a7b4c7cd0932054c957f28c2fda3ad3 15122 java optional lucene-solr_3.6.2+dfsg-12_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlro5ddfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkZisP/AzScmf+CPuoP+e+nzeib9oZehVrKy9dSF3E 94+U+79RWMk1+ynth1R59UMaJikhu7O0vfTis4BJxoPUHfyXaFQGtOvGNAm3db77 udYogyfM9J6wpZtwcTPFbBm3oy5xB1hxS+jyEXOW4tWHccoLRinp5eusNbP/uYM7 pysTqe8GgT9DNQ8PReSs/DQt6mZQKI56fBftdFUZjUH8Nvy+ZTAbURK/ybBUllm1 +wDDjk2O/NoX7fF5/SGZdHuNhKJvt/36Sq8/RsGk91Q4nlUP0ElzGl2XeAgWuUO8 8/c3g6LreH8Lw4dMB9qNj8ChH2Uk61Hj0shfI7kTWjfggNgDhlK7RyS1e4vWbv2E xoHij/sxLllk4w/qApEPVqFC7hWvmko5JGsv9wYZjTdORUSGH7pPp/JEou6NIHdd zRKWMniD5OOkmlvepBEree0c/O1o+pCa+tWNDd4cewrZ0rw1amI8SuNFYK8rfITf UfpJ1HgH8hmPP66UbbAmkueZyORnnxikCMiHU4qkyCdtWxu/V77UwOPq/AnsWnU+ +QhZrS0b+CXW8oqHLYeuHImAk1Ja+VmtzwZ4VI0H/whXftRrb5gwWCCNgdlcSliV EvoCPRCnUrLa1ViAhrqRlgY10n3Dk/cTJAb8CPDAAg8ms1+YsME01gp6lh0vj7Es 1H6LWo/z =Oqo5 -----END PGP SIGNATURE-----
--- End Message ---