Your message dated Wed, 23 Jul 2025 10:07:30 +0000
with message-id <[email protected]>
and subject line Bug#1109335: fixed in jackrabbit 2.20.11-1.1
has caused the Debian Bug report #1109335,
regarding jackrabbit: CVE-2025-53689
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jackrabbit
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jackrabbit.
CVE-2025-53689[0]:
| Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-
| core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured
| document build to load privileges. Users are recommended to upgrade
| to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11,
| beta versions), which fix this issue. Earlier versions (up to
| 2.20.16) are not supported anymore, thus users should update to the
| respective supported version.
It's not clear to me if the subset of functionality shipped in the
Debian package is affected by this, needs further investigation:
https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53689
https://www.cve.org/CVERecord?id=CVE-2025-53689
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jackrabbit
Source-Version: 2.20.11-1.1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jackrabbit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated jackrabbit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Jul 2025 10:05:30 +0200
Source: jackrabbit
Architecture: source
Version: 2.20.11-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1109335
Changes:
jackrabbit (2.20.11-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2025-53689 via upstream patch. (Closes: #1109335)
Checksums-Sha1:
44b563648fe2d2761adaa5b40435ca5666b76746 1961 jackrabbit_2.20.11-1.1.dsc
a593f903ed3a06011fc93f69be7ff564f772502e 7856
jackrabbit_2.20.11-1.1.debian.tar.xz
6669bd52dd8e9069081d0793730ea3d190aff68a 9525
jackrabbit_2.20.11-1.1_source.buildinfo
Checksums-Sha256:
7543507e51e3aaf48b2318562e4e82cb1e1ef3cbfeef71de46effc4f7f65b58a 1961
jackrabbit_2.20.11-1.1.dsc
8f0e029827666a7da8f3f38e230012473a98d84f8ad4820111e421bde5cb5815 7856
jackrabbit_2.20.11-1.1.debian.tar.xz
d7e315a8368a19c0d9ff18ee6069aeaa9ddb3350cdf20020b5f861ad233f54db 9525
jackrabbit_2.20.11-1.1_source.buildinfo
Files:
ab387dfddf5d07169cd7b8456ac3e1bc 1961 java optional jackrabbit_2.20.11-1.1.dsc
e0ec057f75716eac9964ec7c0c1e3e22 7856 java optional
jackrabbit_2.20.11-1.1.debian.tar.xz
e7e76d14914fb01a6a4acbd9b154620d 9525 java optional
jackrabbit_2.20.11-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmiApz0QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFH3pDAC5eIzR78FZ48my2leNh5fWeO3LOWvmtVcj
XqSjLuzJbaJNrL1GihNahl+cF1UnCSnb4iZz/Op0Iuo/f7bFC7fWHLyEZE6xZYqL
K4+/FjYb3vTnkBrsTzHR0iIqn4D/2Mo2ZE6gyWyRAhtGW/k48QtMnWaRLeW4nTnN
AsQSEj3NWEufeLeGC075sTP6qYhDqHNTJp4JMl7sHUqFVtZ9e8wjUHXZI22hRJgM
7XH68Vwu2HQwS11MtpyzhiJ4VNmY7c98gCXT3VIWi9VfDsn6zFMr3Q4REo7J5OLh
mqikxa+Zt68+yJUNTAo1k4XYlBswq9R3/pHS1R9zzoaYwV+B1FbkZnYx4Xnml8UC
31qewiOCegR4fXvdzj0QRwkKlPvdlCWqQ1opjbWH1G/o2cy0IhuRO58ZTvLP5vcZ
EJCGigSZAejLWhcouEREv9kX+NGBhvJD/Z+leH6G1qB3PYgV4yrJSHSqxjhtAV4g
2XNVp823vzuR19y53VDOyenKAL/c7/U=
=Jjl/
-----END PGP SIGNATURE-----
pgpG9iOtN7ynL.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
