Package: jackrabbit X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for jackrabbit. CVE-2025-53689[0]: | Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit- | core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured | document build to load privileges. Users are recommended to upgrade | to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, | beta versions), which fix this issue. Earlier versions (up to | 2.20.16) are not supported anymore, thus users should update to the | respective supported version. It's not clear to me if the subset of functionality shipped in the Debian package is affected by this, needs further investigation: https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53689 https://www.cve.org/CVERecord?id=CVE-2025-53689 Please adjust the affected versions in the BTS as needed.
