Bug#1106287: jgit: CVE-2025-4949
Moritz Mühlenhoff
jmm at inutil.org
Thu May 22 16:36:45 BST 2025
Source: jgit
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jgit.
CVE-2025-4949[0]:
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the
| ManifestParser class used by the repo command and the AmazonS3 class
| used to implement the experimental amazons3 git transport protocol
| allowing to store git pack files in an Amazon S3 bucket, are
| vulnerable to XML External Entity (XXE) attacks when parsing XML
| files. This vulnerability can lead to information disclosure, denial
| of service, and other security issues.
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4949
https://www.cve.org/CVERecord?id=CVE-2025-4949
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list