Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 385811 (CVE-2011-3600)

Summary: <dev-java/xmlrpc-3.1.3: SAX Parser Information Exposure (CVE-2011-3600)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ercpe, java, underling
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=705869
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Michael Harrison 2011-10-05 21:39:33 UTC
The client has been able to include server
side resources into the request by using external entities.

By creating a custom XML message and
sending it to the XML-RPC handling service it is possible to get the
contents of files stored on the server's file system as part of the
response.
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-06 05:50:53 UTC
Sure that version 2.x is affected?
Comment 2 Michael Harrison 2011-10-06 10:45:45 UTC
Well no, the advisory states specifically 3.1 being the fix, but no definite version being the culprit.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-10-06 23:53:21 UTC
Thanks for the bugs, Michael. Please feel free to add maintainers (maintainers: we'll keep him honest.)
Comment 4 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-08-30 08:02:44 UTC
+  30 Aug 2014; Johann Schmitz <ercpe@gentoo.org> +xmlrpc-3.1.3.ebuild:
+  Version bump wrt bug #339400

Note that at least dev-java/jcs isn't compatible with the 3.1.3 version.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-30 10:56:45 UTC
(In reply to Johann Schmitz (ercpe) from comment #4)
> +  30 Aug 2014; Johann Schmitz <ercpe@gentoo.org> +xmlrpc-3.1.3.ebuild:
> +  Version bump wrt bug #339400
> 

Thanks for version bump 

> Note that at least dev-java/jcs isn't compatible with the 3.1.3 version.

Can you file a separate bug for that and make it a blocker for this bug?
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-30 10:57:54 UTC
*** Bug 339400 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-15 15:46:50 UTC
Stabilization was done in another bug.
Comment 8 Patrice Clement gentoo-dev 2015-06-15 15:52:10 UTC
epsilon ~ # equery d -a dev-java/xmlrpc
 * These packages depend on dev-java/xmlrpc:
dev-java/jcs-1.2.7.9-r1 (dev-java/xmlrpc:0)
dev-java/jcs-1.3-r1 (dev-java/xmlrpc:0)
dev-util/deskzilla-1.7.1-r1 (>=dev-java/xmlrpc-2.0.1)

+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -jcs-1.2.7.9-r1.ebuild,
+  -jcs-1.3-r1.ebuild:
+  Remove vulnerable versions. Fix security bug 385811.
+

Clean up done.
Comment 9 Patrice Clement gentoo-dev 2015-06-15 17:15:55 UTC
Sorry there was nothing vulnerable about jcs. I just got mixed up with another bug title (#521736).

+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -xmlrpc-2.0.1.ebuild:
+  Remove vulnerable version. Fix security bug 385811.
+

Clean up *really* done this time around.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:47:43 UTC
GLSA Vote: No
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-29 17:55:55 UTC
GLSA Vote: No, closing