Bug#731113: marked as done (lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408)

[Debian Bug Tracking System]

Your message dated Sun, 15 Dec 2013 09:19:21 +0000
with message-id <e1vs7r7-0001p7...@franck.debian.org>
and subject line Bug#731113: fixed in lucene-solr 3.6.2+dfsg-2
has caused the Debian Bug report #731113,
regarding lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
731113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: lucene-solr
Severity: grave
Tags: security
Justification: user security hole

CVE-2013-6397:
https://issues.apache.org/jira/browse/SOLR-4882

CVE-2013-6407:
https://issues.apache.org/jira/browse/SOLR-3895

CVE-2013-6408:
https://issues.apache.org/jira/browse/SOLR-4881

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Source: lucene-solr
Source-Version: 3.6.2+dfsg-2

We believe that the bug you reported is fixed in the latest version of
lucene-solr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <james.p...@ubuntu.com> (supplier of updated lucene-solr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Dec 2013 22:07:54 +0000
Source: lucene-solr
Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc 
libsolr-java solr-common solr-tomcat solr-jetty
Architecture: source all
Version: 3.6.2+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: James Page <james.p...@ubuntu.com>
Description: 
 liblucene3-contrib-java - Full-text search engine library for Java - 
additional libraries
 liblucene3-java - Full-text search engine library for Java - core library
 liblucene3-java-doc - Documentation for Lucene
 libsolr-java - Enterprise search server based on Lucene - Java libraries
 solr-common - Enterprise search server based on Lucene3 - common files
 solr-jetty - Enterprise search server based on Lucene3 - Jetty integration
 solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration
Closes: 731113
Changes: 
 lucene-solr (3.6.2+dfsg-2) unstable; urgency=low
 .
   * Fixes for new security vulnerabilities (Closes: #731113):
     - debian/patches/CVE-2013-6397.patch:
       Fix DocumentAnalysisRequestHandler to correctly use
       EmptyEntityResolver to prevent loading of external entities like
       UpdateRequestHandler does.
       CVE-2013-6397
     - debian/patches/CVE-2013-6407_CVE-2013-6408.patch:
       XML and XSLT UpdateRequestHandler should not try to
       resolve external entities. This improves speed of loading e.g.
       XSL-transformed XHTML documents.
       CVE-2013-6407
       Fix XML parsing in XPathEntityProcessor to correctly
       expand named entities, but ignore external entities.
       CVE-2013-6408
Checksums-Sha1: 
 3bb97aa2ab9029ed82caded871708caf966494d4 3136 lucene-solr_3.6.2+dfsg-2.dsc
 9af68d38d1da28e47551390e8a2bf0f4d23fb765 53822 
lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 4de2ca66d7df2dbfaff08f7290332c42540371e8 1502040 
liblucene3-java_3.6.2+dfsg-2_all.deb
 b79d64a050ee003bd02b3964c3e94e788f96f84f 10895818 
liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 2c8ae68faa8302b3f61c7b9b5b1ff011af0ea545 4777008 
liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 384080dbd2370518958e26232dc12519ee4511d5 1964328 
libsolr-java_3.6.2+dfsg-2_all.deb
 9aec0726d29d8b68af6b8cca2632cc028e7f757f 143552 
solr-common_3.6.2+dfsg-2_all.deb
 b3a7ce1968cbbbc5d240fae497b95bc2de3b4ce1 8090 solr-tomcat_3.6.2+dfsg-2_all.deb
 d7263beceead47070d6b7c8a4ac62bc03ea49c37 7690 solr-jetty_3.6.2+dfsg-2_all.deb
Checksums-Sha256: 
 993bc404a1670b9785c98456f9fa11067646a9f1b7514c60ad957054884b7d17 3136 
lucene-solr_3.6.2+dfsg-2.dsc
 18e876daca284a21608bd35cd05de4578459ba6c5da37529ec3e812ad608cc0e 53822 
lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 f17ff81bbed55fbba2ba6bb07c964233528d7c577a5c3a25861526c7023cf7ab 1502040 
liblucene3-java_3.6.2+dfsg-2_all.deb
 cb9562ec8034d1537eac81d8e78db928e73d9e5c2d64f3774bd23b326a5b89e7 10895818 
liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 8169fc4b5450963dc84c9bf4264bb38866f4eae0967e757fdc198b1464478fef 4777008 
liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 fc792a1edd451752a4474df48219a46af9305184d394a1f0707614c36d09550a 1964328 
libsolr-java_3.6.2+dfsg-2_all.deb
 efd01741e7c69f2f2db8eed398d3c8729607d66d4b69b977f28b8a0f3d3c4733 143552 
solr-common_3.6.2+dfsg-2_all.deb
 aa52a316ff4089834051d50103d89eec842a4bfc7f2f6aa4358c5cc2c30d8fcf 8090 
solr-tomcat_3.6.2+dfsg-2_all.deb
 4cdfa3cb4fc333c0dfd7ef494937aec9b73d2af1aaec85a8c13ad771a22036cb 7690 
solr-jetty_3.6.2+dfsg-2_all.deb
Files: 
 ccd3e0c50405d05d32b6797a2ea0bf2d 3136 java optional 
lucene-solr_3.6.2+dfsg-2.dsc
 ede0c32704012aef3a7b5d4867e4589f 53822 java optional 
lucene-solr_3.6.2+dfsg-2.debian.tar.gz
 67f00843d3411ccac75a644a86f56d71 1502040 java optional 
liblucene3-java_3.6.2+dfsg-2_all.deb
 909e980896c1be36dcef01b3da43d29b 10895818 java optional 
liblucene3-contrib-java_3.6.2+dfsg-2_all.deb
 96e73a79c67653e211ad0937b13b4a46 4777008 doc optional 
liblucene3-java-doc_3.6.2+dfsg-2_all.deb
 ed03727afb5f451331433f8d7c3ba57f 1964328 java optional 
libsolr-java_3.6.2+dfsg-2_all.deb
 795f96a3b210e8b6aea2a1d870f33122 143552 java optional 
solr-common_3.6.2+dfsg-2_all.deb
 8f278760e615aa55219ace165979142d 8090 java optional 
solr-tomcat_3.6.2+dfsg-2_all.deb
 fd8efb225e74ac047e21ee7510cd5327 7690 java optional 
solr-jetty_3.6.2+dfsg-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSrW7XAAoJEL/srsug59jD27AP/3fANcRYN6lzQ9lllqIxIoFr
tM9UFbqvRmyfWShJn4tLUxFmfHdpY6uFXbKdFLwcBaYCEPp1i6ZDoj95ofpzKfHZ
bf5W/oqcwlPdMxK5sXjKp7pZccb5mwbJ6MoeDWzfJ1OoZXYqEqJ+5ixI8kNnELlS
3VPTlZrpWzY//aDuZjNfnKVK+3+PrQRRBWMb4Q5UiNvFYWmdw05NX20wV2Qq+30q
UL16BDoX6FYzRdHF3hog28r/c/jenRulqn+tew0KqStPLDhbpzdayN2HCYFH+k+M
+gVnP1rst6it8Tg4sPLrIhZPkIEAO/cj0mTGEBeu3lTzHmqdFQLZuINvOOham+rt
cbyKUp1OU/phpI/yEuCMqVVVCQM/geAIp28RnJBPBOV+9M40RiacBW19cL+VzWeY
cIUSSdpzENsGsAENO7lUnjCTLcJsOLIshCpRcb4kjyCQW8IRrJWawTSsoMGAxDnF
hy7bxx8sGEm/8kJvmw8YEzXTvdDYU2IN1vBseVuZK0aH/WCglh7t4L1Uv9txihHD
Bf+2MsQFAGOPl5EJB0uc0zoK+l78Z9NK4/UCCzwyWN+5ekQurOrHxkuWY7WEjrC9
iuGYnI/gzojbOrbXSrxVSP2fnArqMAQm4vyK40IHV9ME2nMRwkcxwMCehN56azTt
1ddPAHepGXZBbhojK2LJ
=O1WS
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.