ESB-2018.1387 - [Debian] lucene-solr: Access confidential data - Remote/unauthenticated 2018-05-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1387
                lucene-solr update comes to Debian 8 and 9
                                7 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lucene-solr
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1308  

Reference:         ESB-2018.1263
                   ESB-2018.1112

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4194

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4194-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 06, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : lucene-solr
CVE ID         : CVE-2018-1308

An XML external entity expansion vulnerability was discovered in the 
DataImportHandler of Solr, a search server based on Lucene, which could
result in information disclosure.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.6.2+dfsg-5+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 3.6.2+dfsg-10+deb9u2.

We recommend that you upgrade your lucene-solr packages.

For the detailed security status of lucene-solr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lucene-solr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrvPkMACgkQEMKTtsN8
TjZLxQ/+KktDJPpsG5DxRvVka3pECHzGnI1ZkI6Ln/kCwo55DNON9gLHCP1Ga/Fg
WQd7/k2LsNYqUfzdu9wa98hS2BeRhPm13fOrUC0HdM7VE4GUh05xboTYlfsABTgz
srJM6OTCurXDiYbWUxrGvn/06/Eh/QuwsvGoOQ1H2UvNSd5TJwOmkK+3oGtxWiL2
kgwN6el1fgBaA6mRLN2YkTgvkUmmYjbHww1EW4AYVpp+EJgrumXA3k3234jA8mNh
lzmiGKWyVJs6JngCT3ZYVu4BXf0X2mn/sagVaXZ+UJws67FR9qUGM9HTjjkl4htp
groN0CXaQ1tni91FDHyfvMvgkuM2YrgIV867ziz5J0gzzV0MYc6b6bK5i9rdUHbB
YodB59wzE8uky69Zs6WA7j2f0k1z250jzAUEhj+MgYG+rVycF9vfOvVbsO3umkjA
sT7pjzktzd1iZ5keVuDBJQEREEA+ZetzEj+ZBrW5o0wTibf0pJSZ4JAtC8hBiO3S
UGtWTl428lAZK7zPyxMkZAGh1EmvyYf5dNJTjZE/UY8UlhPybnMfzdlREOkLIS96
x0VIIetmXrw0FVUXZsDdMsnbikHbMe5999w3Fd5vo/xlBEriksaqBcWUd8oTHw5a
1FuiJPU64/Ulyo2Y2ZbA27O7zbJAC2LRIacSlLUz4mQAxxKfhjM=
=tbeu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWu+mE4x+lLeg9Ub1AQj6cQ//bWdc3RHe/p7/onoLxLq8Rp/5gAWXof7+
YZmtnf86pt/qBA7gE2ZZgYl7w/2AcY43vT4f4sFA0lWAVClTxmM2m7VpMJlnEpnY
GFpb3b7Mx8osXEgyvthaE4PLOzXGu6wM8/A6RgxdUM+t76WHt8kmiiw/Q7qAABDA
qlQ5pAOmcMBuSbFAB4752v55o1LABKyPGyPKL8kUW1DTRESobhYyHuA6Sds3/voF
pI6M1nhRmSI6c7fzHYTXAW1fkh8sLjG5+b+dufpZEemkYeUgMmzEnkCZBtv12TR/
2SdMcpda62YyjDqTEVMyo4PkgxPO+ye/efPix3XuYLPXll7gk8moIjmX1mL5BUQZ
gXlyCqEvRTCyL7ywelOyvlJd8tPQVGJXzyj03vz3IyvJG0FuJgDDF+lbbYA3HpAF
+Fwgl3ywYLWlieEVBZNFaQkjVCmu9O+6XfQZ7Rsv27RCZZ6H1wZUQazyvPMj459H
t60YzwFO9HYMb+Z3LfU5wMbKzLWXeCjJiuBbjP1W5Zr+RFwmPrjNI6TDN3tcRHI2
sxKvZdwBFlNOiAN/F5PI7RkjeIv4UdWifXJ7VUSjSxlwj2eDz7ZpCO0byT07rZRJ
LkPxlI/gI5v9GRZNKiGA+4Azv26ub9CRCLHqbHsntY1q3ZvxF3WsWs6qZ4qOE96o
mQDNjrihpGE=
=oQAy
-----END PGP SIGNATURE-----

« Back to bulletins