Your message dated Mon, 07 May 2018 12:03:18 +0000
with message-id <[email protected]>
and subject line Bug#896604: fixed in lucene-solr 3.6.2+dfsg-5+deb8u2
has caused the Debian Bug report #896604,
regarding lucene-solr: CVE-2018-1308 XXE in DataImportHandler
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
896604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lucene-solr
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for lucene-solr.
CVE-2018-1308[0]:
| This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1
| relates to an XML external entity expansion (XXE) in the
| `&dataConfig=<inlinexml>` parameter of Solr's
DataImportHandler. It
| can be used as XXE using file/ftp/http protocols in order to read
| arbitrary local files from the Solr server or the internal network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: lucene-solr
Source-Version: 3.6.2+dfsg-5+deb8u2
We believe that the bug you reported is fixed in the latest version of
lucene-solr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated lucene-solr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 02 May 2018 23:43:25 +0200
Source: lucene-solr
Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc
libsolr-java solr-common solr-tomcat solr-jetty
Architecture: source all
Version: 3.6.2+dfsg-5+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
liblucene3-contrib-java - Full-text search engine library for Java -
additional libraries
liblucene3-java - Full-text search engine library for Java - core library
liblucene3-java-doc - Documentation for Lucene
libsolr-java - Enterprise search server based on Lucene - Java libraries
solr-common - Enterprise search server based on Lucene3 - common files
solr-jetty - Enterprise search server based on Lucene3 - Jetty integration
solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration
Closes: 896604
Changes:
lucene-solr (3.6.2+dfsg-5+deb8u2) jessie-security; urgency=high
.
* Team upload.
* Fix CVE-2018-1308: XML external entity expansion in Solr's
DataImportHandler. It can be used as XXE using file/ftp/http protocols in
order to read arbitrary local files from the Solr server or the internal
network. (Closes: #896604)
Checksums-Sha1:
3e72326c36659a80a8b347cd6a6df8519c1a880f 3374
lucene-solr_3.6.2+dfsg-5+deb8u2.dsc
e32facb17569c7b2f53da837d4a9666aff337a5d 50916
lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz
2a2a22428cf0809a237a9bc5638785c913366cff 1500622
liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb
cb7196a3a3a1e5f01570bdd68f12d76fa6f6358f 10896058
liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb
f36e229cbda5c9f667dd8558c2c09190133a7e8a 4836948
liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb
8f6b26391bfb35aa033d037f36563484a80d2254 1961392
libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb
eff4b3045dcab13f46ca0267d7d199e90917db9b 144528
solr-common_3.6.2+dfsg-5+deb8u2_all.deb
d080e1d0079704fc01ee81b319961c227104e496 8972
solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb
39d45e91dc344bc57d9fb7c08af962b3a0a77030 8684
solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb
Checksums-Sha256:
614fc97761f450b57b99585f83532d9c62ed2639a5d6e69643a164695758fc1b 3374
lucene-solr_3.6.2+dfsg-5+deb8u2.dsc
0b9ca1b751a02e149d4d4e4cfa3a1e2fca67be961783f3b11cfccfae16aded5e 50916
lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz
2a393273513065f9dc62455a0b58ba71a4c8db2fc076abf9c086b1a8d0000726 1500622
liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb
b99f5e479ec9a15a9492040f19beb3be255dda328c15a5581703355dd365ebc0 10896058
liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb
026b69ad81270250b5f92f010fe5c740d163e1615f39e72992299335403cee69 4836948
liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb
c139d1f0d47d7111ac242888755ee30c853e692fa4904aac4f8c408cbb882556 1961392
libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb
c80a6b045ed0bc2e264de8ef2ab02bd91144fa469ebd1ad55d7cd63fd25cbbc6 144528
solr-common_3.6.2+dfsg-5+deb8u2_all.deb
16e42f75599e7a293aa7c7deb49de8df6474a8ac75377dfc24d9746c6cf8a9b0 8972
solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb
83dd010cf3948a92829adfb40b0fd66c7013304bc7cc9417b9d0326893e242cc 8684
solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb
Files:
8a17b4596834420b8e5ca0ae03d30c1c 3374 java optional
lucene-solr_3.6.2+dfsg-5+deb8u2.dsc
f7307d3b9099f0c6841730fb5aeef4a2 50916 java optional
lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz
515a77f3c8981ca61cff697374305895 1500622 java optional
liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb
d659cf591344aa6d5dcb33e64f8fced4 10896058 java optional
liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb
c790784ae75116ccc379f7f32641dded 4836948 doc optional
liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb
bd953e062da1f4c94273064fa0d2229e 1961392 java optional
libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb
4102600fb402b978d08a561e2da33137 144528 java optional
solr-common_3.6.2+dfsg-5+deb8u2_all.deb
599be5d3580e6cbbe82c0dc3bb7d763e 8972 java optional
solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb
bb40871761339b329c89a9ce88a80a13 8684 java optional
solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrrfJ5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkzqoQAJSnN2w5VrDvIiSWHHPT4vj3ivz9x3W0Ni/k
BxIcjpX388pjg9LD+Rze07ekg0VDFfrlCm94/le0ZVzGDAcpzAc5NHPiLzmLTbo4
0aN1jqFacfgQLmXU87yjXd0tCyLRWuKsR/r59BAva20m5PGijizh87qSP8x/SzMo
d7vQH+7ccp+fS5l4S/yzHs2jI0IHW2if2+wBts4/uYJx3f3QMxDWApqDh0BiQOc2
MPiclUP4JCsNR2lxz1OFdK9WuLHasNBG08AsUC+XsE1yfP+aQMOnuytU9Uuc6Uz9
xb+hV1k9JCVjEME9+MqTayKBgGoZarvSQMJ5KKLQluF1uoPNo9ymNaqEDoHw5enF
eRphyCXhfXzDCdjSWwDdhxgOJa9Zm4u6eVEUBIPM3jpPp7FiNlBtqtbbPMji8jj8
++0YDrBkrx5aInjOkQwseSy+dL3kqu/lRCtBKLQCoHLEybFlOyPM1WqCMzefjeOa
cZCXysq5o8iLIuzn5yGypKFaPScK/ifInlZt7p58w3RBss5IKCUISJACs4PPlsPJ
dehOJIazuhtt/+ap8CDfU0AVDjoBSVxm4dIRlq8iXS3W7H/Weq95RhYZKXXAPIYM
C/2rCB8sNLrQChtPwP6GpoGfY9z9mk0nG7Ztp35cbh8Z71rXD+QRiPOnDlKTkg6x
oh23CAjZ
=gbXf
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
