Your message dated Sat, 04 Jul 2015 18:17:05 +0000 with message-id <e1zbrzt-000223...@franck.debian.org> and subject line Bug#787316: fixed in jackrabbit 2.3.6-1+deb8u1 has caused the Debian Bug report #787316, regarding CVE-2015-1833 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 787316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackrabbit Severity: grave Tags: security Hi, please see https://issues.apache.org/jira/browse/JCR-3883 Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: jackrabbit Source-Version: 2.3.6-1+deb8u1 We believe that the bug you reported is fixed in the latest version of jackrabbit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 787...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated jackrabbit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 25 Jun 2015 18:47:39 +0200 Source: jackrabbit Binary: libjackrabbit-java Architecture: source all Version: 2.3.6-1+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libjackrabbit-java - content repository implementation (JCR API) Closes: 787316 Changes: jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium . * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) Checksums-Sha1: 9dcb772c37f313807a6b9cc6cb723d288b0750fd 2123 jackrabbit_2.3.6-1+deb8u1.dsc 39f44b04d599d58b0b473c42155bdfd78ea447fd 4028196 jackrabbit_2.3.6.orig.tar.gz 0adb5c15045feb02c2ca686b6a544088ce98788e 8956 jackrabbit_2.3.6-1+deb8u1.debian.tar.xz 9e45e48db993af3bd8a1015d1fe021afffd87fbc 274976 libjackrabbit-java_2.3.6-1+deb8u1_all.deb Checksums-Sha256: dd8b68e4277b475f819f47051371f69210a350356ff52e107cf71aa516902862 2123 jackrabbit_2.3.6-1+deb8u1.dsc 1e91f2e985899464d51e5b89170efbb9aa844c88fdee4e1d8b40ef6aba1faf99 4028196 jackrabbit_2.3.6.orig.tar.gz e28223fb81e3999b606869b86e9b812ab3ab57e23da03e3976c140c13d3ca88a 8956 jackrabbit_2.3.6-1+deb8u1.debian.tar.xz c4d65df9f00524fd95490a141d3f8100d763433f3187bee5f7929a3100a6d625 274976 libjackrabbit-java_2.3.6-1+deb8u1_all.deb Files: d7b1c18accc0f3c7a940e420de1c25b7 2123 java optional jackrabbit_2.3.6-1+deb8u1.dsc d8e2f739dd7d3577c9ba5f97e7f5d245 4028196 java optional jackrabbit_2.3.6.orig.tar.gz 2f336de6954ec4a8f51eb74a47763a52 8956 java optional jackrabbit_2.3.6-1+deb8u1.debian.tar.xz 8d53a1fb3e8e574d2cfc711d161b3263 274976 java optional libjackrabbit-java_2.3.6-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVkIrXAAoJECHSBYmXSz6WRGAP/j9ZNIGoCil1DiQ2lVpr1XJX fSybctkThlNjVB27pHs5IttTSk1PqY4O0LjDpUiDfFGZ7zunJ6jFFRcpnNWMC/E0 LpO/raFOxP2TbWtV8JTd7p27zz5CZ0/7gs2+VfGMSZV69SSlLExHxlmY3Ex0l7S8 6LIdKCeFzcQy+OnIev7XohTyIsNzddqRRzOjolAEOcs/X6YPDz1HNX0CGkFF6gRp XNnivkIPY5wKMrq08BOWGZx1KiZbS/1Q4FNaF5oPuWydtvBegdU0VIYX1anrFS15 tHO/bw4m1PsulaPOhtb/P33SyPBdhx3GlzAWFTGORScZJ/H/Ws7ZlHv1MpgS2fUt Mp9mO4iKBlFMLvoguqhncTxbfd4jpvj/ngYHozUCy3PD9VK+DYP+CkQJvIgwTc7Y qaPx6eZAvgzl4NNTb6B1dAe0L/nr0VWncvvJdmAyqtbVO7josVbEFhK1s1n2wd+u u9jPRlVlgz2ohn1m79vE02US1w7O2mfqQhs/qx40kw4Y8i2INNDQqzfZSZq+FgNS ZVB56fZMyC9TzgkiJ+9nb9PVOCYM8Gtm8ZBXP3/V1dHroxFnLpqvn4vO5BYblDTz cd/GzKzqCxuiGvuRe2iQEbrppg6uwrf8pDP5OzvYGQKQ3QxXePOcfvSuzdU9ZEUy EOT/6dKdCwY96Vvl5yBX =i46e -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
