[jackrabbit] 01/01: Import Debian patch 2.3.6-1+deb7u2
Markus Koschany
apo at moszumanska.debian.org
Sun Sep 18 16:22:27 UTC 2016
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to annotated tag debian/2.3.6-1+deb7u2
in repository jackrabbit.
commit 794a7c9125cb481f1fbfd3207c9fe8a2798ad24b
Author: Markus Koschany <apo at debian.org>
Date: Sun Sep 18 16:53:45 2016 +0200
Import Debian patch 2.3.6-1+deb7u2
---
.gitignore | 1 -
debian/changelog | 25 ++++
debian/patches/CVE-2015-1833.patch | 244 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2016-6801.patch | 192 +++++++++++++++++++++++++++++
debian/patches/series | 2 +
5 files changed, 463 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 845ca06..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.pc
diff --git a/debian/changelog b/debian/changelog
index 4d0d701..2f15a38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+jackrabbit (2.3.6-1+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-6801:
+ The CSRF content-type check for POST requests did not handle missing
+ Content-Type header fields, nor variations in field values with respect to
+ upper/lower case or optional parameters. This could be exploited to create
+ a resource via CSRF.
+
+ -- Markus Koschany <apo at debian.org> Sun, 18 Sep 2016 16:53:45 +0200
+
+jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium
+
+ * Team upload.
+ * Add CVE-2015-1833.patch.
+ Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
+ When processing a WebDAV request body containing XML, the XML parser can be
+ instructed to read content from network resources accessible to the host,
+ identified by URI schemes such as "http(s)" or "file". Depending on the
+ WebDAV request, this can not only be used to trigger internal network
+ requests, but might also be used to insert said content into the request,
+ potentially exposing it to the attacker and others. (Closes: #787316)
+
+ -- Markus Koschany <apo at gambaru.de> Thu, 25 Jun 2015 18:52:02 +0200
+
jackrabbit (2.3.6-1) unstable; urgency=low
* Initial release (Closes: #589450).
diff --git a/debian/patches/CVE-2015-1833.patch b/debian/patches/CVE-2015-1833.patch
new file mode 100644
index 0000000..83db29d
--- /dev/null
+++ b/debian/patches/CVE-2015-1833.patch
@@ -0,0 +1,244 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Wed, 24 Jun 2015 03:16:44 +0200
+Subject: CVE-2015-1833
+
+---
+ .../webdav/xml/DavDocumentBuilderFactory.java | 86 ++++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/DomUtil.java | 22 +-----
+ .../apache/jackrabbit/webdav/xml/ParserTest.java | 78 ++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/TestAll.java | 1 +
+ 4 files changed, 168 insertions(+), 19 deletions(-)
+ create mode 100644 jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+ create mode 100644 jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+new file mode 100644
+index 0000000..60660a0
+--- /dev/null
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+@@ -0,0 +1,86 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.IOException;
++
++import javax.xml.XMLConstants;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
++import org.xml.sax.helpers.DefaultHandler;
++
++/**
++ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
++ */
++public class DavDocumentBuilderFactory {
++
++ private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
++
++ private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
++
++ private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
++
++ private DocumentBuilderFactory createFactory() {
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setNamespaceAware(true);
++ factory.setIgnoringComments(true);
++ factory.setIgnoringElementContentWhitespace(true);
++ factory.setCoalescing(true);
++ try {
++ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++ } catch (ParserConfigurationException e) {
++ LOG.warn("Secure XML processing is not supported", e);
++ } catch (AbstractMethodError e) {
++ LOG.warn("Secure XML processing is not supported", e);
++ }
++ return factory;
++ }
++
++ public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
++ LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
++ BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
++ }
++
++ /**
++ * An entity resolver that does not allow external entity resolution. See
++ * RFC 4918, Section 20.6
++ */
++ private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
++ public InputSource resolveEntity(String publicId, String systemId) throws IOException {
++ LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: "
++ + systemId);
++ throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId
++ + ", systemId: " + systemId + ")");
++ }
++ };
++
++ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
++ DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
++ if (BUILDER_FACTORY == DEFAULT_FACTORY) {
++ // if this is the default factory: set the default entity resolver as well
++ db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
++ }
++ db.setErrorHandler(new DefaultHandler());
++ return db;
++ }
++}
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+index 70508cc..ad77c97 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+@@ -56,26 +56,10 @@ public class DomUtil {
+ private static Logger log = LoggerFactory.getLogger(DomUtil.class);
+
+ /**
+- * Constant for <code>DocumentBuilderFactory</code> which is used
++ * Constant for <code>DavDocumentBuilderFactory</code> which is used
+ * to create and parse DOM documents.
+ */
+- private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
+-
+- private static DocumentBuilderFactory createFactory() {
+- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+- factory.setNamespaceAware(true);
+- factory.setIgnoringComments(true);
+- factory.setIgnoringElementContentWhitespace(true);
+- factory.setCoalescing(true);
+- try {
+- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+- } catch (ParserConfigurationException e) {
+- log.warn("Secure XML processing is not supported", e);
+- } catch (AbstractMethodError e) {
+- log.warn("Secure XML processing is not supported", e);
+- }
+- return factory;
+- }
++ private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
+
+ /**
+ * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
+@@ -88,7 +72,7 @@ public class DomUtil {
+ */
+ public static void setBuilderFactory(
+ DocumentBuilderFactory documentBuilderFactory) {
+- BUILDER_FACTORY = documentBuilderFactory;
++ BUILDER_FACTORY.setFactory(documentBuilderFactory);
+ }
+
+ /**
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+new file mode 100644
+index 0000000..19aaa1b
+--- /dev/null
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+@@ -0,0 +1,78 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the \"License\"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an \"AS IS\" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.UnsupportedEncodingException;
++
++import junit.framework.TestCase;
++
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++
++public class ParserTest extends TestCase {
++
++ // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
++ public void testBillionLaughs() throws UnsupportedEncodingException {
++
++ String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " <!ENTITY lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
++ + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
++ + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
++ + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
++ + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
++ + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
++ + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
++ + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
++ + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
++ + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" + "]>" + "<lolz>&lol9;</lolz>";
++ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++ try {
++ DomUtil.parseDocument(is);
++ fail("parsing this document should cause an exception");
++ } catch (Exception expected) {
++ }
++ }
++
++ public void testExternalEntities() throws IOException {
++
++ String dname = "target";
++ String fname = "test.xml";
++
++ File f = new File(dname, fname);
++ OutputStream os = new FileOutputStream(f);
++ os.write("testdata".getBytes());
++ os.close();
++
++ String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " <!ENTITY test SYSTEM \"file:" + dname + "/" + fname + "\">"
++ + "]>\n<foo>&test;</foo>";
++ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++ try {
++ Document d = DomUtil.parseDocument(is);
++ Element root = d.getDocumentElement();
++ String text = DomUtil.getText(root);
++ fail("parsing this document should cause an exception, but the following external content was included: " + text);
++ } catch (Exception expected) {
++ }
++ }
++}
+\ No newline at end of file
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+index 1ca395a..f3ff354 100644
+--- a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
+ TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
+
+ suite.addTestSuite(NamespaceTest.class);
++ suite.addTestSuite(ParserTest.class);
+
+ return suite;
+ }
diff --git a/debian/patches/CVE-2016-6801.patch b/debian/patches/CVE-2016-6801.patch
new file mode 100644
index 0000000..7ad632c
--- /dev/null
+++ b/debian/patches/CVE-2016-6801.patch
@@ -0,0 +1,192 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 18 Sep 2016 16:46:33 +0200
+Subject: CVE-2016-6801
+
+The CSRF content-type check for POST requests did not handle missing
+Content-Type header fields, nor variations in field values with respect to
+upper/lower case or optional parameters. This could be exploited to create a
+resource via CSRF.
+
+Backported to the 2.3 branch.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758791
+---
+ .../apache/jackrabbit/spi2davex/PostMethod.java | 1 +
+ .../org/apache/jackrabbit/webdav/DavResource.java | 2 +-
+ .../webdav/server/AbstractWebdavServlet.java | 3 +-
+ .../apache/jackrabbit/webdav/util/CSRFUtil.java | 83 ++++++++++++++++++----
+ 4 files changed, 74 insertions(+), 15 deletions(-)
+
+diff --git a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+index 5355a72..f6e243c 100644
+--- a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
++++ b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+@@ -47,6 +47,7 @@ class PostMethod extends DavMethodBase {
+
+ public PostMethod(String uri) {
+ super(uri);
++ super.setRequestHeader("Referer", uri);
+ HttpMethodParams params = getParams();
+ params.setContentCharset("UTF-8");
+ }
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+index c99b5cd..6e70a42 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+@@ -40,7 +40,7 @@ public interface DavResource {
+ /**
+ * String constant representing the WebDAV 1 and 2 method set.
+ */
+- public static final String METHODS = "OPTIONS, GET, HEAD, POST, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
++ public static final String METHODS = "OPTIONS, GET, HEAD, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
+
+ /**
+ * Returns a comma separated list of all compliance classes the given
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+index 128946e..a1bdbf4 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+@@ -568,7 +568,7 @@ abstract public class AbstractWebdavServlet extends HttpServlet implements DavCo
+ */
+ protected void doPost(WebdavRequest request, WebdavResponse response,
+ DavResource resource) throws IOException, DavException {
+- doPut(request, response, resource);
++ response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+ }
+
+ /**
+@@ -1356,7 +1356,6 @@ abstract public class AbstractWebdavServlet extends HttpServlet implements DavCo
+ * @param out
+ * @return
+ * @see #doPut(WebdavRequest, WebdavResponse, DavResource)
+- * @see #doPost(WebdavRequest, WebdavResponse, DavResource)
+ * @see #doMkCol(WebdavRequest, WebdavResponse, DavResource)
+ */
+ protected OutputContext getOutputContext(DavServletResponse response, OutputStream out) {
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+index 4d431eb..b5fc8f4 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+@@ -19,12 +19,18 @@ package org.apache.jackrabbit.webdav.util;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+
+-import javax.servlet.http.HttpServletRequest;
+-import java.net.MalformedURLException;
+-import java.net.URL;
++import java.net.URI;
++import java.net.URISyntaxException;
++import java.util.Arrays;
+ import java.util.Collections;
++import java.util.Enumeration;
+ import java.util.HashSet;
+ import java.util.Set;
++import java.util.Locale;
++import javax.servlet.http.HttpServletRequest;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
+
+ /**
+ * <code>CSRFUtil</code>...
+@@ -37,6 +43,19 @@ public class CSRFUtil {
+ public static final String DISABLED = "disabled";
+
+ /**
++ * Request content types for CSRF checking, see JCR-3909, JCR-4002, and JCR-4009
++ */
++ public static final Set<String> CONTENT_TYPES = Collections.unmodifiableSet(new HashSet<String>(
++ Arrays.asList(
++ new String[] {
++ "application/x-www-form-urlencoded",
++ "multipart/form-data",
++ "text/plain"
++ }
++ )
++ ));
++
++ /**
+ * logger instance
+ */
+ private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);
+@@ -77,6 +96,7 @@ public class CSRFUtil {
+ if (config == null || config.length() == 0) {
+ disabled = false;
+ allowedReferrerHosts = Collections.emptySet();
++ log.debug("CSRF protection disabled");
+ } else {
+ if (DISABLED.equalsIgnoreCase(config.trim())) {
+ disabled = true;
+@@ -89,23 +109,62 @@ public class CSRFUtil {
+ allowedReferrerHosts.add(entry.trim());
+ }
+ }
++ log.debug("CSRF protection enabled, allowed referrers: " + allowedReferrerHosts);
+ }
+ }
+
+- public boolean isValidRequest(HttpServletRequest request) throws MalformedURLException {
++ public boolean isValidRequest(HttpServletRequest request) {
++
+ if (disabled) {
+ return true;
++ } else if (!"POST".equals(request.getMethod())) {
++ // protection only needed for POST
++ return true;
+ } else {
++ Enumeration<String> cts = (Enumeration<String>) request.getHeaders("Content-Type");
++ String ct = null;
++ if (cts != null && cts.hasMoreElements()) {
++ String t = cts.nextElement();
++ // prune parameters
++ int semicolon = t.indexOf(';');
++ if (semicolon >= 0) {
++ t = t.substring(0, semicolon);
++ }
++ ct = t.trim().toLowerCase(Locale.ENGLISH);
++ }
++ if (cts != null && cts.hasMoreElements()) {
++ // reject if there are more header field instances
++ log.debug("request blocked because there were multiple content-type header fields");
++ return false;
++ }
++ if (ct != null && !CONTENT_TYPES.contains(ct)) {
++ // type present and not in blacklist
++ return true;
++ }
++
+ String refHeader = request.getHeader("Referer");
++ // empty referrer headers are not allowed for POST + relevant
++ // content types (see JCR-3909)
+ if (refHeader == null) {
+- // empty referrer is always allowed
+- return true;
+- } else {
+- String host = new URL(refHeader).getHost();
+- // test referrer-host equelst server or
+- // if it is contained in the set of explicitly allowed host names
+- return host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
++ log.debug("POST with content type" + ct + " blocked due to missing referer header field");
++ return false;
++ }
++
++ try {
++ String host = new URI(refHeader).getHost();
++ // test referrer-host equals server or
++ // if it is contained in the set of explicitly allowed host
++ // names
++ boolean ok = host == null || host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
++ if (!ok) {
++ log.debug("POST with content type" + ct + " blocked due to referer header field being: " + refHeader);
++ }
++ return ok;
++ } catch (URISyntaxException ex) {
++ // referrer malformed -> block access
++ log.debug("POST with content type" + ct + " blocked due to malformed referer header field: " + refHeader);
++ return false;
+ }
+ }
+ }
+-}
+\ No newline at end of file
++}
diff --git a/debian/patches/series b/debian/patches/series
index 1ed02cd..df13c07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
modules.diff
servlet_api_25.diff
+CVE-2015-1833.patch
+CVE-2016-6801.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jackrabbit.git
More information about the pkg-java-commits
mailing list