-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : lucene-solr Version : 3.6.0+dfsg-1+deb7u2 CVE ID : CVE-2017-3163 Debian Bug : 867712
lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=<file_name>) which is vulnerable to path traversal attack. Specifically, this API does not perform any validation of the user specified file_name parameter. This can allow an attacker to download any file readable to Solr server process even if it is not related to the actual Solr index state. For Debian 7 "Wheezy", this problem has been fixed in version 3.6.0+dfsg-1+deb7u2. We recommend that you upgrade your lucene-solr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAll9/ugACgkQ+COicpiD yXyA2w//WIv6ZgQ1Al3pCuQvUP1WnauydzFNsIu17ayRo7UU64T0gSRHVmzsQMQf /qV4c6FKuN8H7cMWVTPQVIlWxkMj0z++BmGzj+c65N3oO/IIG3CYm2E6N5pPWdMv HiyMN87Nzj2EnnFfljnOg7m9x4KHtJv/NluB4h/IQWLEw1MuIEVAPWArTE+dXBJI 7MqIl+hFIc32u2MypfAY6ENLQOI5cKQ0Ic88AstmNMbxmlciBOMCXtd0BmPoPoeK IJQp0K8E92NbHcPKnIRhpK7wHbMh1gMOFDn7YPmuT+QcFY0n/kpHL7Xdw2rVA8nJ fyZpUleZJpk8oz/8Wb3WEwYHrnccvYHoNwMBEuXu6/95svMV2UoROdsa4ElRs7UX US9xC7XoVVxSWrJinV+oQ3fL0hpxqYHwGkU5pVuDE57CoMQ5g80tCxkwkLm6o9eB hiNUG+hzA9Uuxu2eOIWRys3PGWhwccNsP2V3FcdBk//iGiX29WjhbQyomAB4fpmP hgkc5hG3Ub3GMwIo6fPqgz9zVkQ4hitXA+0Y2CZo1P/jCpd+t7vDouB3h+8cNxU9 CHKwRB5odSmw2G98mCJXZzR5cr6U55WYL+iewxxZ1OrBXQ3JuMykqkPX6MUlKYUH lF6psiBYhJe8UDJB/fnbfXL+p7Qgy7dnXPs5pg+g0bllkH4HwSY= =e7Kh -----END PGP SIGNATURE-----
