16003 – jackrabbit new security issue CVE-2015-1833

Bug 16003 - jackrabbit new security issue CVE-2015-1833

Summary: jackrabbit new security issue CVE-2015-1833

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/647619/
Whiteboard:	advisory MGA4-32-OK mga4-64-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-05-21 17:55 CEST by David Walser
Modified:	2015-06-09 18:53 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	jackrabbit-2.4.2-6.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-05-21 17:55:14 CEST

A security issue fixed upstream in jackrabbit has been announced:
http://openwall.com/lists/oss-security/2015/05/21/6
http://openwall.com/lists/oss-security/2015/05/21/7

There are patches available in the second message linked above, and the fixes will be incorporated into a 2.4.6 release.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-05-21 17:55:31 CEST

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-05-21 19:36:55 CEST

So, fixes for jackrabbit for Cauldron and mga4 too with the proposed upstream patch done in SVN.

Freeze_push for Cauldron requested.

Comment 2 David GEIGER 2015-05-21 19:58:59 CEST

Ok now jackrabbit is uploaded for mga4 and finally it will be soon dropped from Cauldron.

Comment 3 David Walser 2015-05-22 17:41:04 CEST

OK, jackrabbit no longer hops in Cauldron.

Patched package uploaded for Mageia 4.  Thanks David!

Advisory:
========================

Updated jackrabbit packages fix security vulnerability:

In Apache Jackrabbit before 2.4.6, When processing a WebDAV request body
containing XML, the XML parser can be instructed to read content from network
resources accessible to the host, identified by URI schemes such as "http(s)"
or  "file". Depending on the WebDAV request, this can not only be used to
trigger internal network requests, but might also be used to insert said
content into the request, potentially exposing it to the attacker and others
(for instance, by inserting said content in a WebDAV property value using a
PROPPATCH request). See also IETF RFC 4918, Section 20.6 (CVE-2015-1833).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1833
http://openwall.com/lists/oss-security/2015/05/21/6
http://openwall.com/lists/oss-security/2015/05/21/7
========================

Updated packages in core/updates_testing:
========================
jackrabbit-webdav-2.4.2-6.1.mga4
jackrabbit-webdav-javadoc-2.4.2-6.1.mga4

from jackrabbit-2.4.2-6.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 Herman Viaene 2015-06-05 14:49:53 CEST

MGA4-32 on AcerD620 Xfce
No installation issues

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 5 claire robinson 2015-06-05 15:51:31 CEST

Tested mga4 64

Whiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-ok

Comment 6 claire robinson 2015-06-05 19:46:17 CEST

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK mga4-64-ok => advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-06-08 23:18:44 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0242.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-06-09 18:53:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/647619/

Note You need to log in before you can comment on or make changes to this bug.