This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository resteasy.
commit b8d00cbeb708b62b733afdd45fa4cfa52e10d6b3 Author: Emmanuel Bourg <[email protected]> Date: Mon Nov 24 23:35:13 2014 +0100 Fix CVE-2014-7839: External entities expanded by DocumentProvider (Closes: #770544) --- debian/changelog | 8 ++++++++ debian/patches/CVE-2014-7839.diff | 18 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 27 insertions(+) diff --git a/debian/changelog b/debian/changelog index db71c2b..cb9c7b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +resteasy (3.0.6-2) UNRELEASED; urgency=medium + + * Team upload. + * Fix CVE-2014-7839: External entities expanded by DocumentProvider + (Closes: #770544) + + -- Emmanuel Bourg <[email protected]> Mon, 24 Nov 2014 23:10:47 +0100 + resteasy (3.0.6-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2014-7839.diff b/debian/patches/CVE-2014-7839.diff new file mode 100644 index 0000000..9642634 --- /dev/null +++ b/debian/patches/CVE-2014-7839.diff @@ -0,0 +1,18 @@ +Description: Fix CVE-2014-7839: External entities expanded by DocumentProvider +Origin: backport, https://github.com/ronsigal/Resteasy/commit/8b5d8cf + https://github.com/ronsigal/Resteasy/commit/dfd2264 +Bug: https://issues.jboss.org/browse/RESTEASY-1130 +Bug-Debian: https://bugs.debian.org/770544 +--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java ++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java +@@ -71,6 +71,10 @@ + try + { + documentBuilder.setExpandEntityReferences(expandEntityReferences); ++ documentBuilder.setFeature("http://xml.org/sax/features/external-general-entities";, expandEntityReferences); ++ documentBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities";, expandEntityReferences); ++ documentBuilder.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ documentBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + return documentBuilder.newDocumentBuilder().parse(input); + } + catch (Exception e) diff --git a/debian/patches/series b/debian/patches/series index 194197c..6e15de3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ revert-to-jsr250-api.diff +CVE-2014-7839.diff -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/resteasy.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
