Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1387 lucene-solr update comes to Debian 8 and 9 7 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: lucene-solr Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 8 Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1308 Reference: ESB-2018.1263 ESB-2018.1112 Original Bulletin: http://www.debian.org/security/2018/dsa-4194 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4194-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : lucene-solr CVE ID : CVE-2018-1308 An XML external entity expansion vulnerability was discovered in the DataImportHandler of Solr, a search server based on Lucene, which could result in information disclosure. For the oldstable distribution (jessie), this problem has been fixed in version 3.6.2+dfsg-5+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 3.6.2+dfsg-10+deb9u2. We recommend that you upgrade your lucene-solr packages. For the detailed security status of lucene-solr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lucene-solr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrvPkMACgkQEMKTtsN8 TjZLxQ/+KktDJPpsG5DxRvVka3pECHzGnI1ZkI6Ln/kCwo55DNON9gLHCP1Ga/Fg WQd7/k2LsNYqUfzdu9wa98hS2BeRhPm13fOrUC0HdM7VE4GUh05xboTYlfsABTgz srJM6OTCurXDiYbWUxrGvn/06/Eh/QuwsvGoOQ1H2UvNSd5TJwOmkK+3oGtxWiL2 kgwN6el1fgBaA6mRLN2YkTgvkUmmYjbHww1EW4AYVpp+EJgrumXA3k3234jA8mNh lzmiGKWyVJs6JngCT3ZYVu4BXf0X2mn/sagVaXZ+UJws67FR9qUGM9HTjjkl4htp groN0CXaQ1tni91FDHyfvMvgkuM2YrgIV867ziz5J0gzzV0MYc6b6bK5i9rdUHbB YodB59wzE8uky69Zs6WA7j2f0k1z250jzAUEhj+MgYG+rVycF9vfOvVbsO3umkjA sT7pjzktzd1iZ5keVuDBJQEREEA+ZetzEj+ZBrW5o0wTibf0pJSZ4JAtC8hBiO3S UGtWTl428lAZK7zPyxMkZAGh1EmvyYf5dNJTjZE/UY8UlhPybnMfzdlREOkLIS96 x0VIIetmXrw0FVUXZsDdMsnbikHbMe5999w3Fd5vo/xlBEriksaqBcWUd8oTHw5a 1FuiJPU64/Ulyo2Y2ZbA27O7zbJAC2LRIacSlLUz4mQAxxKfhjM= =tbeu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWu+mE4x+lLeg9Ub1AQj6cQ//bWdc3RHe/p7/onoLxLq8Rp/5gAWXof7+ YZmtnf86pt/qBA7gE2ZZgYl7w/2AcY43vT4f4sFA0lWAVClTxmM2m7VpMJlnEpnY GFpb3b7Mx8osXEgyvthaE4PLOzXGu6wM8/A6RgxdUM+t76WHt8kmiiw/Q7qAABDA qlQ5pAOmcMBuSbFAB4752v55o1LABKyPGyPKL8kUW1DTRESobhYyHuA6Sds3/voF pI6M1nhRmSI6c7fzHYTXAW1fkh8sLjG5+b+dufpZEemkYeUgMmzEnkCZBtv12TR/ 2SdMcpda62YyjDqTEVMyo4PkgxPO+ye/efPix3XuYLPXll7gk8moIjmX1mL5BUQZ gXlyCqEvRTCyL7ywelOyvlJd8tPQVGJXzyj03vz3IyvJG0FuJgDDF+lbbYA3HpAF +Fwgl3ywYLWlieEVBZNFaQkjVCmu9O+6XfQZ7Rsv27RCZZ6H1wZUQazyvPMj459H t60YzwFO9HYMb+Z3LfU5wMbKzLWXeCjJiuBbjP1W5Zr+RFwmPrjNI6TDN3tcRHI2 sxKvZdwBFlNOiAN/F5PI7RkjeIv4UdWifXJ7VUSjSxlwj2eDz7ZpCO0byT07rZRJ LkPxlI/gI5v9GRZNKiGA+4Azv26ub9CRCLHqbHsntY1q3ZvxF3WsWs6qZ4qOE96o mQDNjrihpGE= =oQAy -----END PGP SIGNATURE-----