Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385811 (CVE-2011-3600) - <dev-java/xmlrpc-3.1.3: SAX Parser Information Exposure (CVE-2011-3600)
Summary: <dev-java/xmlrpc-3.1.3: SAX Parser Information Exposure (CVE-2011-3600)
Alias: CVE-2011-3600
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
: 339400 (view as bug list)
Depends on:
Reported: 2011-10-05 21:39 UTC by Michael Harrison
Modified: 2015-06-29 17:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2011-10-05 21:39:33 UTC
The client has been able to include server
side resources into the request by using external entities.

By creating a custom XML message and
sending it to the XML-RPC handling service it is possible to get the
contents of files stored on the server's file system as part of the
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-06 05:50:53 UTC
Sure that version 2.x is affected?
Comment 2 Michael Harrison 2011-10-06 10:45:45 UTC
Well no, the advisory states specifically 3.1 being the fix, but no definite version being the culprit.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-10-06 23:53:21 UTC
Thanks for the bugs, Michael. Please feel free to add maintainers (maintainers: we'll keep him honest.)
Comment 4 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2014-08-30 08:02:44 UTC
+  30 Aug 2014; Johann Schmitz <> +xmlrpc-3.1.3.ebuild:
+  Version bump wrt bug #339400

Note that at least dev-java/jcs isn't compatible with the 3.1.3 version.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-30 10:56:45 UTC
(In reply to Johann Schmitz (ercpe) from comment #4)
> +  30 Aug 2014; Johann Schmitz <> +xmlrpc-3.1.3.ebuild:
> +  Version bump wrt bug #339400

Thanks for version bump 

> Note that at least dev-java/jcs isn't compatible with the 3.1.3 version.

Can you file a separate bug for that and make it a blocker for this bug?
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-30 10:57:54 UTC
*** Bug 339400 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-15 15:46:50 UTC
Stabilization was done in another bug.
Comment 8 Patrice Clement gentoo-dev 2015-06-15 15:52:10 UTC
epsilon ~ # equery d -a dev-java/xmlrpc
 * These packages depend on dev-java/xmlrpc:
dev-java/jcs- (dev-java/xmlrpc:0)
dev-java/jcs-1.3-r1 (dev-java/xmlrpc:0)
dev-util/deskzilla-1.7.1-r1 (>=dev-java/xmlrpc-2.0.1)

+  15 Jun 2015; Patrice Clement <> -jcs-,
+  -jcs-1.3-r1.ebuild:
+  Remove vulnerable versions. Fix security bug 385811.

Clean up done.
Comment 9 Patrice Clement gentoo-dev 2015-06-15 17:15:55 UTC
Sorry there was nothing vulnerable about jcs. I just got mixed up with another bug title (#521736).

+  15 Jun 2015; Patrice Clement <> -xmlrpc-2.0.1.ebuild:
+  Remove vulnerable version. Fix security bug 385811.

Clean up *really* done this time around.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:47:43 UTC
GLSA Vote: No
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-29 17:55:55 UTC
GLSA Vote: No, closing