[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Apache Solr XXE
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-11-29 5:08:20
Message-ID: 52982144.6090906 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/2013 09:55 PM, David Jorm wrote:
> Hi All
> 
> Apache Solr 4.3.1, 4.4, 5.0 resolves multiple XXE flaws, as
> described in the following bugs:
> 
> https://issues.apache.org/jira/browse/SOLR-3895

Please use CVE-2013-6407 for this issue

> https://issues.apache.org/jira/browse/SOLR-4881

Please use CVE-2013-6408 for this issue

> I have confirmed that these issues can also be exploited on Apache
> Solr 3.6.2. Please assign a CVE ID for these XXE flaws (I think a
> single CVE ID is most appropriate).

These have to be SPLIT, different reporters, and one was in a release
so the second is a classic "incomplete fix for X" CVE as well.

> Thanks



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSmCFDAAoJEBYNRVNeJnmT7fYQAIKOMe+q8PqWDZKN5oMokwVU
R1ukFZ7YIXfoxewUlSHrPBGFEf1Nhwni7luucrm53gCvqIEZ8tUKchirZOud+TVH
kk/cZk5JZEC9IT7kfEqVkVhxz7xUf6/DTLxKiQ7266ehzyvD7Rmii01Dm8Jxdd9h
Bl0EjXMANvVwaKSZjslM8RgA8T9sN/vWWD1GbfEHr9bHETbJ3Mns0LGRtZqzrdcF
r76bW2guIgNODIV+8Y3ZWJ305ZcmZSXD7x+/yYiFGwDIcWeusbokafw++wpqj0Ix
/miP9dAAm/lgyjZwi1Q+lC1UGTf/SPOQkTkwR9N77Gvsk0aRLPUMjDVWFgsNhKnt
7+hD3HB/uarw7qaqC+RdJTvx25kkbFNk7dFDKNxnwvWNa/Nc5a3nkYdJmxzA3u2L
VcXeGhEani8MkWbOCBtLvYi+gyCmSbmJ7W0sTz9yI4ABYVGSDk4DW4/V8sd07Kvd
vnn4eQeR7DbXl/U1zIW+wKoETsbGoYAMC0F64nrnnbfp4IKdVwk1z29FC8eBPCQI
Y2Tj+HEfEq1qNn1ACi1x2HmFKu9PxCpLMaW6s/7fhHC4d3/BBx+S+qkzyI8BLW24
WRgmYvuQuunrN8sI+382cIg7SxocZjqm77ZknSAXqWWLMyF183LUkmxyB806QXtY
P4EQesHGBHubthiQshka
=VPpG
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]