Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: f0e367a3 by Markus Koschany at 2020-08-31T10:56:03+02:00 CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster. Remove lucene-solr from dla-needed.txt. CVE-2020-13941 is about adding a new parameter to the CoreAdminAPI that validates whether a user is allowed to write or read data to or from a different directory than the default dataDir directory. In Debian the default dataDir directory is /var/lib/solr/data. This is specified in /etc/solr/conf/solrconfig.xml. See also set-data-dir.patch and solr-common.README.Debian. The only way to change that is to edit /etc/solr/conf/solrconfig.xml. The value in solrconfig.xml overrides any dataDir value that is passed to the dynamic core admin interface. That means that only system administrators should be able to change that value. This makes CVE-2020-13941 a rather minor issue for Debian and backporting the new configuration option does not seem strictly necessary. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -23679,6 +23679,8 @@ CVE-2020-13942 RESERVED CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), rel ...) - lucene-solr <unfixed> + [buster] - lucene-solr <ignored> (Minor issue) + [stretch] - lucene-solr <ignored> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/08/15/1 NOTE: https://issues.apache.org/jira/browse/SOLR-14561 NOTE: https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2 ===================================== data/dla-needed.txt ===================================== @@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings) -- lua5.3 -- -lucene-solr (Markus Koschany) --- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits