Your message dated Mon, 07 May 2018 12:03:18 +0000 with message-id <e1ffero-0005yl...@fasolo.debian.org> and subject line Bug#896604: fixed in lucene-solr 3.6.2+dfsg-5+deb8u2 has caused the Debian Bug report #896604, regarding lucene-solr: CVE-2018-1308 XXE in DataImportHandler to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 896604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lucene-solr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lucene-solr. CVE-2018-1308[0]: | This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 | relates to an XML external entity expansion (XXE) in the | `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It | can be used as XXE using file/ftp/http protocols in order to read | arbitrary local files from the Solr server or the internal network. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: lucene-solr Source-Version: 3.6.2+dfsg-5+deb8u2 We believe that the bug you reported is fixed in the latest version of lucene-solr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 896...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated lucene-solr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 02 May 2018 23:43:25 +0200 Source: lucene-solr Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty Architecture: source all Version: 3.6.2+dfsg-5+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblucene3-contrib-java - Full-text search engine library for Java - additional libraries liblucene3-java - Full-text search engine library for Java - core library liblucene3-java-doc - Documentation for Lucene libsolr-java - Enterprise search server based on Lucene - Java libraries solr-common - Enterprise search server based on Lucene3 - common files solr-jetty - Enterprise search server based on Lucene3 - Jetty integration solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration Closes: 896604 Changes: lucene-solr (3.6.2+dfsg-5+deb8u2) jessie-security; urgency=high . * Team upload. * Fix CVE-2018-1308: XML external entity expansion in Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. (Closes: #896604) Checksums-Sha1: 3e72326c36659a80a8b347cd6a6df8519c1a880f 3374 lucene-solr_3.6.2+dfsg-5+deb8u2.dsc e32facb17569c7b2f53da837d4a9666aff337a5d 50916 lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz 2a2a22428cf0809a237a9bc5638785c913366cff 1500622 liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb cb7196a3a3a1e5f01570bdd68f12d76fa6f6358f 10896058 liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb f36e229cbda5c9f667dd8558c2c09190133a7e8a 4836948 liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb 8f6b26391bfb35aa033d037f36563484a80d2254 1961392 libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb eff4b3045dcab13f46ca0267d7d199e90917db9b 144528 solr-common_3.6.2+dfsg-5+deb8u2_all.deb d080e1d0079704fc01ee81b319961c227104e496 8972 solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb 39d45e91dc344bc57d9fb7c08af962b3a0a77030 8684 solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb Checksums-Sha256: 614fc97761f450b57b99585f83532d9c62ed2639a5d6e69643a164695758fc1b 3374 lucene-solr_3.6.2+dfsg-5+deb8u2.dsc 0b9ca1b751a02e149d4d4e4cfa3a1e2fca67be961783f3b11cfccfae16aded5e 50916 lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz 2a393273513065f9dc62455a0b58ba71a4c8db2fc076abf9c086b1a8d0000726 1500622 liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb b99f5e479ec9a15a9492040f19beb3be255dda328c15a5581703355dd365ebc0 10896058 liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb 026b69ad81270250b5f92f010fe5c740d163e1615f39e72992299335403cee69 4836948 liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb c139d1f0d47d7111ac242888755ee30c853e692fa4904aac4f8c408cbb882556 1961392 libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb c80a6b045ed0bc2e264de8ef2ab02bd91144fa469ebd1ad55d7cd63fd25cbbc6 144528 solr-common_3.6.2+dfsg-5+deb8u2_all.deb 16e42f75599e7a293aa7c7deb49de8df6474a8ac75377dfc24d9746c6cf8a9b0 8972 solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb 83dd010cf3948a92829adfb40b0fd66c7013304bc7cc9417b9d0326893e242cc 8684 solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb Files: 8a17b4596834420b8e5ca0ae03d30c1c 3374 java optional lucene-solr_3.6.2+dfsg-5+deb8u2.dsc f7307d3b9099f0c6841730fb5aeef4a2 50916 java optional lucene-solr_3.6.2+dfsg-5+deb8u2.debian.tar.xz 515a77f3c8981ca61cff697374305895 1500622 java optional liblucene3-java_3.6.2+dfsg-5+deb8u2_all.deb d659cf591344aa6d5dcb33e64f8fced4 10896058 java optional liblucene3-contrib-java_3.6.2+dfsg-5+deb8u2_all.deb c790784ae75116ccc379f7f32641dded 4836948 doc optional liblucene3-java-doc_3.6.2+dfsg-5+deb8u2_all.deb bd953e062da1f4c94273064fa0d2229e 1961392 java optional libsolr-java_3.6.2+dfsg-5+deb8u2_all.deb 4102600fb402b978d08a561e2da33137 144528 java optional solr-common_3.6.2+dfsg-5+deb8u2_all.deb 599be5d3580e6cbbe82c0dc3bb7d763e 8972 java optional solr-tomcat_3.6.2+dfsg-5+deb8u2_all.deb bb40871761339b329c89a9ce88a80a13 8684 java optional solr-jetty_3.6.2+dfsg-5+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrrfJ5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkzqoQAJSnN2w5VrDvIiSWHHPT4vj3ivz9x3W0Ni/k BxIcjpX388pjg9LD+Rze07ekg0VDFfrlCm94/le0ZVzGDAcpzAc5NHPiLzmLTbo4 0aN1jqFacfgQLmXU87yjXd0tCyLRWuKsR/r59BAva20m5PGijizh87qSP8x/SzMo d7vQH+7ccp+fS5l4S/yzHs2jI0IHW2if2+wBts4/uYJx3f3QMxDWApqDh0BiQOc2 MPiclUP4JCsNR2lxz1OFdK9WuLHasNBG08AsUC+XsE1yfP+aQMOnuytU9Uuc6Uz9 xb+hV1k9JCVjEME9+MqTayKBgGoZarvSQMJ5KKLQluF1uoPNo9ymNaqEDoHw5enF eRphyCXhfXzDCdjSWwDdhxgOJa9Zm4u6eVEUBIPM3jpPp7FiNlBtqtbbPMji8jj8 ++0YDrBkrx5aInjOkQwseSy+dL3kqu/lRCtBKLQCoHLEybFlOyPM1WqCMzefjeOa cZCXysq5o8iLIuzn5yGypKFaPScK/ifInlZt7p58w3RBss5IKCUISJACs4PPlsPJ dehOJIazuhtt/+ap8CDfU0AVDjoBSVxm4dIRlq8iXS3W7H/Weq95RhYZKXXAPIYM C/2rCB8sNLrQChtPwP6GpoGfY9z9mk0nG7Ztp35cbh8Z71rXD+QRiPOnDlKTkg6x oh23CAjZ =gbXf -----END PGP SIGNATURE-----
--- End Message ---
