From ${URL} : The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit 2.10.1. This release fixes an important security issue in the jackrabbit-webdav module reported by Mikhail Egorov. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release. Release Notes -- Apache Jackrabbit -- Version 2.10.1 Introduction ------------ This is Apache Jackrabbit(TM) 2.10.1, a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283). Apache Jackrabbit 2.10.1 is a patch release that contains fixes and improvements over Jackrabbit 2.10. Jackrabbit 2.10.x releases are considered stable and targeted for production use. Security advisory (JCR-3883 / CVE-2015-1833) -------------------------------------------- This release fixes an important security issue in the jackrabbit-webdav module reported by Mikhail Egorov. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others (for instance, by inserting said content in a WebDAV property value using a PROPPATCH request). See also IETF RFC 4918, Section 20.6. Users of the jackrabbit-webdav module are advised to immediately update the module to this release or disable WebDAV access to the repository. Users on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should apply the fix to the corresponding 2.x branch or disable WebDAV access until official releases of those earlier versions are available. Patches for 2.x branches are attached to the JIRA issue. Changes since Jackrabbit 2.10.0 ------------------------------- Bug fixes [JCR-3853] JCR2SPI: Load ac provider resource [JCR-3871] POI Vulnerabilities [JCR-3872] Config DTD does not declare ProtectedItemImporter elements [JCR-3873] CachingDataStore not safe against crashes, corrupted uploads file will prevent system startup [JCR-3876] POM dependency to jackrabbit-data test-jar is not test-scoped [JCR-3878] Fix test case failure in jackrabbit-data [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack Improvements [JCR-3864] CachingDatastore -cache file sizes to save remote call to remote datastore( S3DS) [JCR-3868] Adapt TestCaseBase.java to test for FileDatastore [JCR-3869] CachingDataStore for SAN or NFS mounted storage [JCR-3879] Remove contention in AsyncUploadCache to improve performance [JCR-3881] Change CachingFDS configuration properties New Features [JCR-3836] Allow to get an Authorizable of a given type Sub-tasks [JCR-3837] Add AuthorizableTypeException in user security API package In addition to the above-mentioned changes, this release contains all the changes included up to the Apache Jackrabbit 2.10.0 release. For more detailed information about all the changes in this and other Jackrabbit releases, please see the Jackrabbit issue tracker at https://issues.apache.org/jira/browse/JCR Release Contents ---------------- This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.txt file for instructions on how to build this release. The source archive is accompanied by SHA1 and MD5 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS. About Apache Jackrabbit ----------------------- Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. For more information, visit http://jackrabbit.apache.org/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
+*jackrabbit-webdav-2.10.1 (22 May 2015) + + 22 May 2015; Patrice Clement <monsieurp@gentoo.org> + +files/jackrabbit-webdav-2.10.1-build.xml, +jackrabbit-webdav-2.10.1.ebuild, + -files/jackrabbit-webdav-2.6.2-build.xml, -jackrabbit-webdav-2.6.2.ebuild: + Version bump. Remove vulnerable version of jackrabbit-webdav. Fix security bug + 550122. + Bumped to version 2.10.1 and tree cleaned version 2.6.2 while at it. Can you guys mark the new version stable? Thanks.
(In reply to Patrice Clement from comment #1) > +*jackrabbit-webdav-2.10.1 (22 May 2015) > + > + 22 May 2015; Patrice Clement <monsieurp@gentoo.org> > + +files/jackrabbit-webdav-2.10.1-build.xml, > +jackrabbit-webdav-2.10.1.ebuild, > + -files/jackrabbit-webdav-2.6.2-build.xml, -jackrabbit-webdav-2.6.2.ebuild: > + Version bump. Remove vulnerable version of jackrabbit-webdav. Fix > security bug > + 550122. > + > > Bumped to version 2.10.1 and tree cleaned version 2.6.2 while at it. > > Can you guys mark the new version stable? Thanks. This is a non-stable version, no need for stabilization. Thanks for bump and cleanup, closing [noglsa]
CVE-2015-1833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1833): XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
