Your message dated Mon, 07 May 2018 12:02:51 +0000 with message-id <e1ffeqx-0005ol...@fasolo.debian.org> and subject line Bug#896604: fixed in lucene-solr 3.6.2+dfsg-10+deb9u2 has caused the Debian Bug report #896604, regarding lucene-solr: CVE-2018-1308 XXE in DataImportHandler to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 896604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lucene-solr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lucene-solr. CVE-2018-1308[0]: | This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 | relates to an XML external entity expansion (XXE) in the | `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It | can be used as XXE using file/ftp/http protocols in order to read | arbitrary local files from the Solr server or the internal network. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1308 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: lucene-solr Source-Version: 3.6.2+dfsg-10+deb9u2 We believe that the bug you reported is fixed in the latest version of lucene-solr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 896...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated lucene-solr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 May 2018 00:38:56 +0200 Source: lucene-solr Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty Architecture: source all Version: 3.6.2+dfsg-10+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblucene3-contrib-java - Full-text search engine library for Java - additional libraries liblucene3-java - Full-text search engine library for Java - core library liblucene3-java-doc - Documentation for Lucene libsolr-java - Enterprise search server based on Lucene - Java libraries solr-common - Enterprise search server based on Lucene3 - common files solr-jetty - Enterprise search server based on Lucene3 - Jetty integration solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration Closes: 886090 896604 Changes: lucene-solr (3.6.2+dfsg-10+deb9u2) stretch-security; urgency=high . * Team upload. * Fix CVE-2018-1308: XML external entity expansion in Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. (Closes: #896604) * Symlink /etc/solr/solr-jetty.xml into /var/lib/jetty9/webapps/solr.xml to make solr-jetty work out-of-the-box. (Closes: #886090) Thanks to J.P. Larocque for the report. Checksums-Sha1: 0aed0bca1c56d8301f3da9b6a5db96c02db29015 3406 lucene-solr_3.6.2+dfsg-10+deb9u2.dsc 567ba0e9a663c164037afd63f48d074e47475689 52596 lucene-solr_3.6.2+dfsg-10+deb9u2.debian.tar.xz 06f80ebccc014e74fb9d290052cea7332604de12 10973528 liblucene3-contrib-java_3.6.2+dfsg-10+deb9u2_all.deb 5affd0ab4c9e15bdf0e3a36a80bac09fa8c07f8c 4825252 liblucene3-java-doc_3.6.2+dfsg-10+deb9u2_all.deb 6eeed3719dddd4b5a5eb1e7a592695a17f6f05fb 1563862 liblucene3-java_3.6.2+dfsg-10+deb9u2_all.deb 9d733c6527db0179561ada2f38357bcd61d2e28b 2039462 libsolr-java_3.6.2+dfsg-10+deb9u2_all.deb ebdeae7777fa3ac12de2fbd116ba6210f45f050f 14650 lucene-solr_3.6.2+dfsg-10+deb9u2_amd64.buildinfo 793b5edc1a5c9acd4a5a4d018da6d336508a571d 144542 solr-common_3.6.2+dfsg-10+deb9u2_all.deb 7c3ad10de0814e3e9e326f1a30406e6b5365c434 9218 solr-jetty_3.6.2+dfsg-10+deb9u2_all.deb 729b428f5bb27b6ee04ac1c5303e884084256ed4 9478 solr-tomcat_3.6.2+dfsg-10+deb9u2_all.deb Checksums-Sha256: 4fbfe6be7a728ca7bcfc7ab0187fcf051c50a715d88c5a511c95b6c9b4300247 3406 lucene-solr_3.6.2+dfsg-10+deb9u2.dsc 225c1197ef926d6ee1ba4176c39076aeb30faacaa94c4df834bc561bb2a7bc93 52596 lucene-solr_3.6.2+dfsg-10+deb9u2.debian.tar.xz 70661bceff8764b86d50d35d119c5ee40718fe3e6a8cb2fadbc2e6217da186c2 10973528 liblucene3-contrib-java_3.6.2+dfsg-10+deb9u2_all.deb a927555c9c9064c93933c008a99bb0c2dce296613b3234d44324fdfe74e33cea 4825252 liblucene3-java-doc_3.6.2+dfsg-10+deb9u2_all.deb 1fd0d4ab25fad3b01168b3d98cd18a4084fe4d2297fc0dc97999620fc5ec0697 1563862 liblucene3-java_3.6.2+dfsg-10+deb9u2_all.deb 3fb80815debc6e800cc0b236dbb7eda0fad0dbcef7148723c894d0d940b36d6a 2039462 libsolr-java_3.6.2+dfsg-10+deb9u2_all.deb 3392718c8662aacbf755a2569d1a077ff8d67d84713c14f64ded1f7b62793e3a 14650 lucene-solr_3.6.2+dfsg-10+deb9u2_amd64.buildinfo c41dfe3d5ffcfec47d00483d17befe257606db580bcb87129f5ead57939733cb 144542 solr-common_3.6.2+dfsg-10+deb9u2_all.deb f49ab3a10d8144aa0097ccdfc4c8429079ffba85cd28cb106a62b6096aa6612e 9218 solr-jetty_3.6.2+dfsg-10+deb9u2_all.deb d2304e353c8a3ded16daa756442679221de2df1a40d901f9476e0e2aac66b948 9478 solr-tomcat_3.6.2+dfsg-10+deb9u2_all.deb Files: de7805174082d2984fcb8190c74c9ddd 3406 java optional lucene-solr_3.6.2+dfsg-10+deb9u2.dsc 676b37e02a387fe9b257cdf59d7962b7 52596 java optional lucene-solr_3.6.2+dfsg-10+deb9u2.debian.tar.xz 6825a7b3f232adb846d055ce81c43529 10973528 java optional liblucene3-contrib-java_3.6.2+dfsg-10+deb9u2_all.deb 45214b104614c5bb365729a28cac7d57 4825252 doc optional liblucene3-java-doc_3.6.2+dfsg-10+deb9u2_all.deb 424fbcf941a0b6d295aad37ca4ee07f5 1563862 java optional liblucene3-java_3.6.2+dfsg-10+deb9u2_all.deb 9df27fd408d4faa8a61894ec02952908 2039462 java optional libsolr-java_3.6.2+dfsg-10+deb9u2_all.deb 077b616e17ddf081030e99e96c8f0284 14650 java optional lucene-solr_3.6.2+dfsg-10+deb9u2_amd64.buildinfo d29dd03911077793402e5640f30971b8 144542 java optional solr-common_3.6.2+dfsg-10+deb9u2_all.deb 97c4d294eb9354716e67d0f36ffba3dc 9218 java optional solr-jetty_3.6.2+dfsg-10+deb9u2_all.deb 867dbc38df6c07783d0211854f0bcda8 9478 java optional solr-tomcat_3.6.2+dfsg-10+deb9u2_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrrfNtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkbysP/0W+VGvnWJ55KDZzHKtKtkaTzUNUFbtxtGfv CCeh/vzIQknKoR2xpdOapTRhtUiPrYLGejrley//YldGVd/OB0109LY0Taked0bS S3nGquNbhnfqO+jBLeZ5g0zeNyX6+bV8P/ey11ArEvaDzMQtZk/3G9OriVL/1k+q VZtu3yrBnzhRCNDNa5TXq+oNysOxrdBYd8+KwaVdrZzCe947svSetPHU0Cqd1Ix8 jy5UnjY1CEuNpKkHuu+5nbPG8ym/XL1t8EG0c/8rVqyDb+PEHbc68O3ZIQjKIdSB tkqrPDc3jeXJZ78N1bTKcIunPytqK8VVxtkIyY724L8LXtmawI58ONVjtGUmIgg4 gtpg5kMQ76ZjtLwYKNhQ8Nh88eeoDmcAwW9cq6JF6vdxqYST6M8rSzIOukNgkL5Y 5NoyAn/9q0jfuhExUy49zK9qmkLY5Ex3JuohjLuFjDHOcXebpT+VALXgmacG63XB yH64vtBPbqe3ZDgZbpxrPeQ8srhSPCUJs50YIiNGs6QmOh4IxfCxZSfyKlAvgWfh Vz69zeT/7RMEaZei7ZxGOpC0h4S0EzwDmvyK7BoBwWdGc5mvn4xMlRynpdnZkCz4 FOp7XqBZQQeUbp5BRccyf6nkuLCMFugsgEshARdI78F7OL6s9RCZHT8UijsDyfwM yTKN+7H0 =D0bh -----END PGP SIGNATURE-----
--- End Message ---
