Your message dated Sat, 5 Feb 2011 14:31:26 -0500
with message-id <[email protected]>
and subject line Re: Bug#540862: reassign
has caused the Debian Bug report #540862,
regarding apache2: xml-based firewall bypass / port scanning vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
540862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540862
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: apache2
version: 2.2.3-4+etch6
severity: important
tags: security
it has been dislosed that apache (and potentially other web servers)
can be used to port scan behind a firewall. i don't think this issue
issue too severe, but a firewall bypass nevertheless is probably not a
good thing. see [0].
[0] http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf
--- End Message ---
--- Begin Message ---
On Fri, 4 Feb 2011 21:57:32 +0000 brian m. carlson wrote:
> On Tue, Aug 11, 2009 at 12:04:00PM -0400, Michael S. Gilbert wrote:
> > reassign 540862 libxerces2-java
> > thanks
> >
> > this appears to be a flaw in the xerces xml parser. see previous
> > discussion and pdf.
>
> I don't see what you expect Xerces to do here. Since Xerces is not
> usable in a standalone format with Tomcat (you have to create a servlet
> that specifically calls Xerces), there's really nothing that Xerces can
> do. The ability to read entities from the local network may in fact be
> very useful if the data being parsed are under the server's (i.e., not
> an attacker's) control.
>
> This is a specific case of sanitizing your input data. A servlet
> parsing untrusted XML probably should use more defensive settings, but
> that is hardly a bug in Xerces. AFAICT, all Java XML parsers read DTDs
> (both internal and external) by default; this has both good and bad
> aspects, but it is not a security bug. To call it one would be blaming
> a shared library for resolving external references when the
> network-facing daemon has failed to instruct it otherwise.
>
> NB: I am not the maintainer, but I do use both Xerces and Tomcat.
I agree, I don't think this issue is worth worrying about, and the
original paper is now gone. Oh well.
Best wishes,
Mike
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please
use
[email protected] for discussions and questions.
