Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: e1aff233 by Markus Koschany at 2019-10-07T16:50:48Z CVE-2019-12401,lucene-solr: Mark as not-affected for Jessie After investigating this issue I believe that the CVE should be reassigned to libwoodstox-java but it does neither affect lucene-solr or the latter in Debian, so it is not really important. In Debian we use the system libraries. The oldest version of libwoodstox-java in Jessie is 4.1.3. which was released in April 2012. CVE-2019-12401 probably refers to the change in the 4.x series to disable coalescing mode by default (it was erroneously set to true before). Interesting article about java.xml.stream.isCoalescing can be found at http://veithen.io/2013/10/11/broken-by-design-xlxp2.html Otherwise there are only two other changes which may be related to the problem. Since Buster even those are not relevant. 4.2.0 (23-Mar-2013) New features: * [WSTX-285], [WSTX-287]: Add ability to restrict certain size limits of parsed XML (updated using properties, see `ReaderConfig`) 4.2.1 (20-Mar-2014) [WSTX-294]: Incorrect data returned from text containing CDATA when IS_COALESCING property is set (reported by Rafal Dabrowa) The rest of the changes do not appear to be security relevant. In order to exploit CVE-2019-12401 and to trigger OOM an attacker must be able to post documents to the Solr instance. If he is able to do that he can easily cause a denial-of-service by some means or other. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -14798,10 +14798,13 @@ CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commo NOTE: Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581 CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are v ...) - lucene-solr <unfixed> + [jessie] - lucene-solr <not-affected> (system libraries of libwoodstox-java and libstax-api-java are used in Debian) NOTE: https://issues.apache.org/jira/browse/SOLR-13750 NOTE: https://www.openwall.com/lists/oss-security/2019/09/10/1 NOTE: Upstream's fix (upgrading dependencies) suggests the issue is in libwoodstox-java: NOTE: https://issues.apache.org/jira/browse/SOLR-6830 + NOTE: May be related to the change in the 4.x series of libwoodstox-java to disabling coalescing by default which can trigger large memory consumption + when parsing specially crafted XML data CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...) - libxml-security-java <unfixed> (bug #935548) [stretch] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1aff2339d1af06e6d4dd92cef9057e6e263095c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1aff2339d1af06e6d4dd92cef9057e6e263095c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
