This is an automated email from the git hooks/post-receive script.

apo pushed a commit to annotated tag debian/2.3.6-1+deb7u2
in repository jackrabbit.

commit 794a7c9125cb481f1fbfd3207c9fe8a2798ad24b
Author: Markus Koschany <a...@debian.org>
Date:   Sun Sep 18 16:53:45 2016 +0200

    Import Debian patch 2.3.6-1+deb7u2
---
 .gitignore                         |   1 -
 debian/changelog                   |  25 ++++
 debian/patches/CVE-2015-1833.patch | 244 +++++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2016-6801.patch | 192 +++++++++++++++++++++++++++++
 debian/patches/series              |   2 +
 5 files changed, 463 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 845ca06..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.pc
diff --git a/debian/changelog b/debian/changelog
index 4d0d701..2f15a38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+jackrabbit (2.3.6-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-6801:
+    The CSRF content-type check for POST requests did not handle missing
+    Content-Type header fields, nor variations in field values with respect to
+    upper/lower case or optional parameters. This could be exploited to create
+    a resource via CSRF.
+
+ -- Markus Koschany <a...@debian.org>  Sun, 18 Sep 2016 16:53:45 +0200
+
+jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-1833.patch.
+    Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
+    When processing a WebDAV request body containing XML, the XML parser can be
+    instructed to read content from network resources accessible to the host,
+    identified by URI schemes such as "http(s)" or "file". Depending on the
+    WebDAV request, this can not only be used to trigger internal network
+    requests, but might also be used to insert said content into the request,
+    potentially exposing it to the attacker and others. (Closes: #787316)
+
+ -- Markus Koschany <a...@gambaru.de>  Thu, 25 Jun 2015 18:52:02 +0200
+
 jackrabbit (2.3.6-1) unstable; urgency=low
 
   * Initial release (Closes: #589450).
diff --git a/debian/patches/CVE-2015-1833.patch 
b/debian/patches/CVE-2015-1833.patch
new file mode 100644
index 0000000..83db29d
--- /dev/null
+++ b/debian/patches/CVE-2015-1833.patch
@@ -0,0 +1,244 @@
+From: Markus Koschany <a...@gambaru.de>
+Date: Wed, 24 Jun 2015 03:16:44 +0200
+Subject: CVE-2015-1833
+
+---
+ .../webdav/xml/DavDocumentBuilderFactory.java      | 86 ++++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/DomUtil.java  | 22 +-----
+ .../apache/jackrabbit/webdav/xml/ParserTest.java   | 78 ++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/TestAll.java  |  1 +
+ 4 files changed, 168 insertions(+), 19 deletions(-)
+ create mode 100644 
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+ create mode 100644 
jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+new file mode 100644
+index 0000000..60660a0
+--- /dev/null
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+@@ -0,0 +1,86 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.IOException;
++
++import javax.xml.XMLConstants;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
++import org.xml.sax.helpers.DefaultHandler;
++
++/**
++ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
++ */
++public class DavDocumentBuilderFactory {
++
++    private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
++
++    private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
++
++    private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
++
++    private DocumentBuilderFactory createFactory() {
++        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setNamespaceAware(true);
++        factory.setIgnoringComments(true);
++        factory.setIgnoringElementContentWhitespace(true);
++        factory.setCoalescing(true);
++        try {
++            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++        } catch (ParserConfigurationException e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        } catch (AbstractMethodError e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        }
++        return factory;
++    }
++
++    public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
++        LOG.debug("DocumentBuilderFactory changed to: " + 
documentBuilderFactory);
++        BUILDER_FACTORY = documentBuilderFactory != null ? 
documentBuilderFactory : DEFAULT_FACTORY;
++    }
++
++    /**
++     * An entity resolver that does not allow external entity resolution. See
++     * RFC 4918, Section 20.6
++     */
++    private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new 
EntityResolver() {
++        public InputSource resolveEntity(String publicId, String systemId) 
throws IOException {
++            LOG.debug("Resolution of external entities in XML payload not 
supported - publicId: " + publicId + ", systemId: "
++                    + systemId);
++            throw new IOException("This parser does not support resolution of 
external entities (publicId: " + publicId
++                    + ", systemId: " + systemId + ")");
++        }
++    };
++
++    public DocumentBuilder newDocumentBuilder() throws 
ParserConfigurationException {
++        DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
++        if (BUILDER_FACTORY == DEFAULT_FACTORY) {
++            // if this is the default factory: set the default entity 
resolver as well
++            db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
++        }
++        db.setErrorHandler(new DefaultHandler());
++        return db;
++    }
++}
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+index 70508cc..ad77c97 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+@@ -56,26 +56,10 @@ public class DomUtil {
+     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
+ 
+     /**
+-     * Constant for <code>DocumentBuilderFactory</code> which is used
++     * Constant for <code>DavDocumentBuilderFactory</code> which is used
+      * to create and parse DOM documents.
+      */
+-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
+-
+-    private static DocumentBuilderFactory createFactory() {
+-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+-        factory.setNamespaceAware(true);
+-        factory.setIgnoringComments(true);
+-        factory.setIgnoringElementContentWhitespace(true);
+-        factory.setCoalescing(true);
+-        try {
+-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+-        } catch (ParserConfigurationException e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        } catch (AbstractMethodError e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        }
+-        return factory;
+-    }
++    private static DavDocumentBuilderFactory BUILDER_FACTORY = new 
DavDocumentBuilderFactory();
+ 
+     /**
+      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
+@@ -88,7 +72,7 @@ public class DomUtil {
+      */
+     public static void setBuilderFactory(
+             DocumentBuilderFactory documentBuilderFactory) {
+-        BUILDER_FACTORY = documentBuilderFactory;
++        BUILDER_FACTORY.setFactory(documentBuilderFactory);
+     }
+ 
+     /**
+diff --git 
a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
 
b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+new file mode 100644
+index 0000000..19aaa1b
+--- /dev/null
++++ 
b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+@@ -0,0 +1,78 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the \"License\"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an \"AS IS\" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.UnsupportedEncodingException;
++
++import junit.framework.TestCase;
++
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++
++public class ParserTest extends TestCase {
++
++    // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
++    public void testBillionLaughs() throws UnsupportedEncodingException {
++
++        String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " 
<!ENTITY lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
++                + " <!ENTITY lol1 
\"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
++                + " <!ENTITY lol2 
\"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
++                + " <!ENTITY lol3 
\"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
++                + " <!ENTITY lol4 
\"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
++                + " <!ENTITY lol5 
\"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
++                + " <!ENTITY lol6 
\"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
++                + " <!ENTITY lol7 
\"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
++                + " <!ENTITY lol8 
\"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
++                + " <!ENTITY lol9 
\"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" + "]>" + 
"<lolz>&lol9;</lolz>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            DomUtil.parseDocument(is);
++            fail("parsing this document should cause an exception");
++        } catch (Exception expected) {
++        }
++    }
++
++    public void testExternalEntities() throws IOException {
++
++        String dname = "target";
++        String fname = "test.xml";
++
++        File f = new File(dname, fname);
++        OutputStream os = new FileOutputStream(f);
++        os.write("testdata".getBytes());
++        os.close();
++
++        String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " 
<!ENTITY test SYSTEM \"file:" + dname + "/" + fname + "\">"
++                + "]>\n<foo>&test;</foo>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            Document d = DomUtil.parseDocument(is);
++            Element root = d.getDocumentElement();
++            String text = DomUtil.getText(root);
++            fail("parsing this document should cause an exception, but the 
following external content was included: " + text);
++        } catch (Exception expected) {
++        }
++    }
++}
+\ No newline at end of file
+diff --git 
a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java 
b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+index 1ca395a..f3ff354 100644
+--- 
a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
++++ 
b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
+         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml 
tests");
+ 
+         suite.addTestSuite(NamespaceTest.class);
++        suite.addTestSuite(ParserTest.class);
+ 
+         return suite;
+     }
diff --git a/debian/patches/CVE-2016-6801.patch 
b/debian/patches/CVE-2016-6801.patch
new file mode 100644
index 0000000..7ad632c
--- /dev/null
+++ b/debian/patches/CVE-2016-6801.patch
@@ -0,0 +1,192 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 18 Sep 2016 16:46:33 +0200
+Subject: CVE-2016-6801
+
+The CSRF content-type check for POST requests did not handle missing
+Content-Type header fields, nor variations in field values with respect to
+upper/lower case or optional parameters. This could be exploited to create a
+resource via CSRF.
+
+Backported to the 2.3 branch.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758791
+---
+ .../apache/jackrabbit/spi2davex/PostMethod.java    |  1 +
+ .../org/apache/jackrabbit/webdav/DavResource.java  |  2 +-
+ .../webdav/server/AbstractWebdavServlet.java       |  3 +-
+ .../apache/jackrabbit/webdav/util/CSRFUtil.java    | 83 ++++++++++++++++++----
+ 4 files changed, 74 insertions(+), 15 deletions(-)
+
+diff --git 
a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
 
b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+index 5355a72..f6e243c 100644
+--- 
a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
++++ 
b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+@@ -47,6 +47,7 @@ class PostMethod extends DavMethodBase {
+ 
+     public PostMethod(String uri) {
+         super(uri);
++        super.setRequestHeader("Referer", uri);
+         HttpMethodParams params = getParams();
+         params.setContentCharset("UTF-8");
+     }
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+index c99b5cd..6e70a42 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+@@ -40,7 +40,7 @@ public interface DavResource {
+     /**
+      * String constant representing the WebDAV 1 and 2 method set.
+      */
+-    public static final String METHODS = "OPTIONS, GET, HEAD, POST, TRACE, 
PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
++    public static final String METHODS = "OPTIONS, GET, HEAD, TRACE, 
PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
+ 
+     /**
+      * Returns a comma separated list of all compliance classes the given
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+index 128946e..a1bdbf4 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+@@ -568,7 +568,7 @@ abstract public class AbstractWebdavServlet extends 
HttpServlet implements DavCo
+      */
+     protected void doPost(WebdavRequest request, WebdavResponse response,
+                           DavResource resource) throws IOException, 
DavException {
+-        doPut(request, response, resource);
++        response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+     }
+ 
+     /**
+@@ -1356,7 +1356,6 @@ abstract public class AbstractWebdavServlet extends 
HttpServlet implements DavCo
+      * @param out
+      * @return
+      * @see #doPut(WebdavRequest, WebdavResponse, DavResource)
+-     * @see #doPost(WebdavRequest, WebdavResponse, DavResource)
+      * @see #doMkCol(WebdavRequest, WebdavResponse, DavResource)
+      */
+     protected OutputContext getOutputContext(DavServletResponse response, 
OutputStream out) {
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+index 4d431eb..b5fc8f4 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+@@ -19,12 +19,18 @@ package org.apache.jackrabbit.webdav.util;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import java.net.MalformedURLException;
+-import java.net.URL;
++import java.net.URI;
++import java.net.URISyntaxException;
++import java.util.Arrays;
+ import java.util.Collections;
++import java.util.Enumeration;
+ import java.util.HashSet;
+ import java.util.Set;
++import java.util.Locale;
++import javax.servlet.http.HttpServletRequest;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
+ 
+ /**
+  * <code>CSRFUtil</code>...
+@@ -37,6 +43,19 @@ public class CSRFUtil {
+     public static final String DISABLED = "disabled";
+ 
+     /**
++     * Request content types for CSRF checking, see JCR-3909, JCR-4002, and 
JCR-4009
++     */
++    public static final Set<String> CONTENT_TYPES = 
Collections.unmodifiableSet(new HashSet<String>(
++            Arrays.asList(
++                    new String[] {
++                            "application/x-www-form-urlencoded",
++                            "multipart/form-data",
++                            "text/plain"
++                    }
++            )
++    ));
++
++    /**
+      * logger instance
+      */
+     private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);
+@@ -77,6 +96,7 @@ public class CSRFUtil {
+         if (config == null || config.length() == 0) {
+             disabled = false;
+             allowedReferrerHosts = Collections.emptySet();
++            log.debug("CSRF protection disabled");
+         } else {
+             if (DISABLED.equalsIgnoreCase(config.trim())) {
+                 disabled = true;
+@@ -89,23 +109,62 @@ public class CSRFUtil {
+                     allowedReferrerHosts.add(entry.trim());
+                 }
+             }
++            log.debug("CSRF protection enabled, allowed referrers: " + 
allowedReferrerHosts);
+         }
+     }
+ 
+-    public boolean isValidRequest(HttpServletRequest request) throws 
MalformedURLException {
++  public boolean isValidRequest(HttpServletRequest request) {
++
+         if (disabled) {
+             return true;
++        } else if (!"POST".equals(request.getMethod())) {
++            // protection only needed for POST
++            return true;
+         } else {
++            Enumeration<String> cts = (Enumeration<String>) 
request.getHeaders("Content-Type");
++            String ct = null;
++            if (cts != null && cts.hasMoreElements()) {
++                String t = cts.nextElement();
++                // prune parameters
++                int semicolon = t.indexOf(';');
++                if (semicolon >= 0) {
++                    t = t.substring(0, semicolon);
++                }
++                ct = t.trim().toLowerCase(Locale.ENGLISH);
++            }
++            if (cts != null && cts.hasMoreElements()) {
++                // reject if there are more header field instances
++                log.debug("request blocked because there were multiple 
content-type header fields");
++                return false;
++            }
++            if (ct != null && !CONTENT_TYPES.contains(ct)) {
++                // type present and not in blacklist
++                return true;
++            }
++
+             String refHeader = request.getHeader("Referer");
++            // empty referrer headers are not allowed for POST + relevant
++            // content types (see JCR-3909)
+             if (refHeader == null) {
+-                // empty referrer is always allowed
+-                return true;
+-            } else {
+-                String host = new URL(refHeader).getHost();
+-                // test referrer-host equelst server or
+-                // if it is contained in the set of explicitly allowed host 
names
+-                return host.equals(request.getServerName()) || 
allowedReferrerHosts.contains(host);
++                log.debug("POST with content type" + ct + " blocked due to 
missing referer header field");
++                return false;
++            }
++
++            try {
++                String host = new URI(refHeader).getHost();
++                // test referrer-host equals server or
++                // if it is contained in the set of explicitly allowed host
++                // names
++                boolean ok = host == null || 
host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
++                if (!ok) {
++                    log.debug("POST with content type" + ct + " blocked due 
to referer header field being: " + refHeader);
++                }
++                return ok;
++            } catch (URISyntaxException ex) {
++                // referrer malformed -> block access
++                log.debug("POST with content type" + ct + " blocked due to 
malformed referer header field: " + refHeader);
++                return false;
+             }
+         }
+     }
+-}
+\ No newline at end of file
++}
diff --git a/debian/patches/series b/debian/patches/series
index 1ed02cd..df13c07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 modules.diff
 servlet_api_25.diff
+CVE-2015-1833.patch
+CVE-2016-6801.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/jackrabbit.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to