Advisories » MGASA-2015-0242

Updated jackrabbit packages fix CVE-2015-1833

Publication date: 08 Jun 2015
Modification date: 08 Jun 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1833

Description

Updated jackrabbit packages fix security vulnerability:

In Apache Jackrabbit before 2.4.6, When processing a WebDAV request body
containing XML, the XML parser can be instructed to read content from network
resources accessible to the host, identified by URI schemes such as "http(s)"
or  "file". Depending on the WebDAV request, this can not only be used to
trigger internal network requests, but might also be used to insert said
content into the request, potentially exposing it to the attacker and others
(for instance, by inserting said content in a WebDAV property value using a
PROPPATCH request). See also IETF RFC 4918, Section 20.6 (CVE-2015-1833).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16003
• http://openwall.com/lists/oss-security/2015/05/21/6
• http://openwall.com/lists/oss-security/2015/05/21/7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1833

SRPMS

4/core

• jackrabbit-2.4.2-6.1.mga4