Bug 16003 - jackrabbit new security issue CVE-2015-1833
Summary: jackrabbit new security issue CVE-2015-1833
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/647619/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Keywords: validated_update
Depends on:
Reported: 2015-05-21 17:55 CEST by David Walser
Modified: 2015-06-09 18:53 CEST (History)
4 users (show)

See Also:
Source RPM: jackrabbit-2.4.2-6.mga4.src.rpm
Status comment:


Description David Walser 2015-05-21 17:55:14 CEST
A security issue fixed upstream in jackrabbit has been announced:

There are patches available in the second message linked above, and the fixes will be incorporated into a 2.4.6 release.

Mageia 4 and Mageia 5 are affected.


Steps to Reproduce:
David Walser 2015-05-21 17:55:31 CEST

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-05-21 19:36:55 CEST
So, fixes for jackrabbit for Cauldron and mga4 too with the proposed upstream patch done in SVN.

Freeze_push for Cauldron requested.
Comment 2 David GEIGER 2015-05-21 19:58:59 CEST
Ok now jackrabbit is uploaded for mga4 and finally it will be soon dropped from Cauldron.
Comment 3 David Walser 2015-05-22 17:41:04 CEST
OK, jackrabbit no longer hops in Cauldron.

Patched package uploaded for Mageia 4.  Thanks David!


Updated jackrabbit packages fix security vulnerability:

In Apache Jackrabbit before 2.4.6, When processing a WebDAV request body
containing XML, the XML parser can be instructed to read content from network
resources accessible to the host, identified by URI schemes such as "http(s)"
or  "file". Depending on the WebDAV request, this can not only be used to
trigger internal network requests, but might also be used to insert said
content into the request, potentially exposing it to the attacker and others
(for instance, by inserting said content in a WebDAV property value using a
PROPPATCH request). See also IETF RFC 4918, Section 20.6 (CVE-2015-1833).


Updated packages in core/updates_testing:

from jackrabbit-2.4.2-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 Herman Viaene 2015-06-05 14:49:53 CEST
MGA4-32 on AcerD620 Xfce
No installation issues

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 5 claire robinson 2015-06-05 15:51:31 CEST
Tested mga4 64

Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2015-06-05 19:46:17 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-06-08 23:18:44 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2015-06-09 18:53:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/647619/

Note You need to log in before you can comment on or make changes to this bug.