On Tue, Jul 15, 2025 at 02:30:45PM +0200, Moritz Mühlenhoff wrote: > Package: jackrabbit > X-Debbugs-CC: [email protected] > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for jackrabbit. > > CVE-2025-53689[0]: > | Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit- > | core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured > | document build to load privileges. Users are recommended to upgrade > | to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, > | beta versions), which fix this issue. Earlier versions (up to > | 2.20.16) are not supported anymore, thus users should update to the > | respective supported version. > > It's not clear to me if the subset of functionality shipped in the > Debian package is affected by this, needs further investigation: >...
It looks not affected to me: https://github.com/apache/jackrabbit/commit/1d6cb3d0fcc8d51980b90ddcf94122d3e4add83e $ jar tf /usr/share/java/jackrabbit-webdav.jar | grep DOMWalker $ jar tf /usr/share/java/jackrabbit-webdav.jar | grep PrivilegeXmlHandler $ Could a Java Maintainer confirm that I am not missing anything here? Thanks Adrian __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
