-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : lucene-solr Version : 3.6.0+dfsg-1+deb7u3 CVE ID : CVE-2017-12629
Michael Stepankin and Olga Barinova discovered a remote code execution vulnerability in Apache Solr by exploiting XML External Entity processing (XXE) in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. To resolve this issue the RunExecutableListener class has been removed and resolving of external entities in the CoreParser class disallowed. For Debian 7 "Wheezy", these problems have been fixed in version 3.6.0+dfsg-1+deb7u3. We recommend that you upgrade your lucene-solr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlplB1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSN0xAAh0RivYpA/34wrameZer/gs82HZrnGescz+Nk5SsN+g0g3X6be5RO4FFe FLyU5W4hUx+LCZv2RTj5ZdUGOzfZbbfUuqX+rsnssJXCNCQ7upree9AD7hyqMJfh 9R1HZsGXTU39FZmbLJikOUf4NLvFynzqkzGi4J2CarOCMd5jYqU6aIMFoNscinuz oREXevAYnxTE3MTgA368y5RfsdtK1+AYvl8hdAFBhDDlHFv/645Tt5w37d6RA25n err2NyURrQuqMR0jxXMYI7IEnXKlX2uI+2lXnhKB9xKc2iHLjBgWaouGqulTuATP ydQxNjh+C7CUFVqOx9x8ZA87QeWCBBSkaQTdk5bGdd6dFjG+eTfQd09/057TI3V2 F82m6FwfAXDetZgB30iA4/00NR/uvLesT/il+VYtTYpsezhf1SOmaLWrk63WYqSr raSTMSsie4nupKQtsKhPlRrNpcER3OGrZdIWT3uTcuhyaK1UPV90y35ZyT3RRXVO DBDztpqquZ5slTwmwfQ9i4Luixkqvkavu5SAIqfi0P8a4O+uP7JugLoqVC2YrNSs U5JIEEaO8FhI1p/NGodnfDf4FRwF256BtfZEYpo7URBS0TZrC4wdWq1nTt2PoGnl dcHGZPllioybC7aCJa8yv4ieEvigVsmnbRM4rDY8UColTa3k00M= =DF07 -----END PGP SIGNATURE-----
