[Git][security-tracker-team/security-tracker][master] CVE-2019-12401,lucene-solr: Mark as not-affected for Jessie
Markus Koschany
apo at debian.org
Mon Oct 7 18:25:55 BST 2019
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e1aff233 by Markus Koschany at 2019-10-07T16:50:48Z
CVE-2019-12401,lucene-solr: Mark as not-affected for Jessie
After investigating this issue I believe that the CVE should be reassigned to
libwoodstox-java but it does neither affect lucene-solr or the latter in Debian, so it is
not really important.
In Debian we use the system libraries. The oldest version of libwoodstox-java in
Jessie is 4.1.3. which was released in April 2012. CVE-2019-12401 probably
refers to the change in the 4.x series to disable coalescing mode by default
(it was erroneously set to true before).
Interesting article about java.xml.stream.isCoalescing can be found at
http://veithen.io/2013/10/11/broken-by-design-xlxp2.html
Otherwise there are only two other changes which may be related to the problem.
Since Buster even those are not relevant.
4.2.0 (23-Mar-2013)
New features:
* [WSTX-285], [WSTX-287]: Add ability to restrict certain size limits of parsed
XML
(updated using properties, see `ReaderConfig`)
4.2.1 (20-Mar-2014)
[WSTX-294]: Incorrect data returned from text containing CDATA when
IS_COALESCING property is set
(reported by Rafal Dabrowa)
The rest of the changes do not appear to be security relevant.
In order to exploit CVE-2019-12401 and to trigger OOM an attacker must be able to post documents
to the Solr instance. If he is able to do that he can easily cause a
denial-of-service by some means or other.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -14798,10 +14798,13 @@ CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commo
NOTE: Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are v ...)
- lucene-solr <unfixed>
+ [jessie] - lucene-solr <not-affected> (system libraries of libwoodstox-java and libstax-api-java are used in Debian)
NOTE: https://issues.apache.org/jira/browse/SOLR-13750
NOTE: https://www.openwall.com/lists/oss-security/2019/09/10/1
NOTE: Upstream's fix (upgrading dependencies) suggests the issue is in libwoodstox-java:
NOTE: https://issues.apache.org/jira/browse/SOLR-6830
+ NOTE: May be related to the change in the 4.x series of libwoodstox-java to disabling coalescing by default which can trigger large memory consumption
+ when parsing specially crafted XML data
CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...)
- libxml-security-java <unfixed> (bug #935548)
[stretch] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1aff2339d1af06e6d4dd92cef9057e6e263095c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1aff2339d1af06e6d4dd92cef9057e6e263095c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191007/443b1ed5/attachment.html>
More information about the debian-security-tracker-commits
mailing list