[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 629-1] jackrabbit security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackrabbit
Version        : 2.3.6-1+deb7u2
CVE ID         : CVE-2016-6801
Debian Bug     : 838204


Lukas Reschke discovered that Apache Jackrabbit, a content repository
implementation for Java, was vulnerable to Cross-Site-Request-Forgery
in Jackrabbit's webdav module.

The CSRF content-type check for POST requests did not handle missing
Content-Type header fields, nor variations in field values with
respect to upper/lower case or optional parameters. This could be
exploited to create a resource via CSRF.

For Debian 7 "Wheezy", these problems have been fixed in version
2.3.6-1+deb7u2.

We recommend that you upgrade your jackrabbit packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJX3sYfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkNGAP/2Px8rc7SmvorBzy+DCqUJWF
8S9+wV9PRmrBmfXz5C9Y8qQBPyNWqQFzAz5P6NvMmoP+s396Dp18k+Uosatcrbqi
SaazGN35DKk+jNtwFXioqOwmJf4auIJ3xTjvL5NHQY7gFHlUaU7/8xxfBQkWxIuc
d/vVWknc23QPc6SJR/7fWJa684P1zszzNw7zdSCnr9L43Mb3eTuGgbBLsrxpE1Bi
GtDgilx+7pNTYHa4oNV0MSFW4F5uG8X/JQWjtQuZSqo7rKz5hiFJWNAqWn1csEjg
z8lOBQYVd/sWd5PbM005fKrqj2Rb9jnIarmmufC0Y9EnXkd/MQPLRd/gODQF5Ae/
P5y5yxTRu2XNNc2cgVavHpk75V3rqmJJPlahooXkwBM3G+O6qPfEFVeg9Q+J6xFP
YYgiWF7z1qjuxPMXxZO0cx0ueVnZwINU6H0vx1WfYIjTvHcKWoJ7VenQihmxyXbL
530zLg2FM4q5orUIP4cxadRjZjS+lNV5Mz+5u9HhFgrxK7y+ptXFu8OiMIQLETL9
ih72BkJrDCinvv/uUi1WFCB4DmnmPC6LYAq9xaBXD7vq+ODTO+E60ac5vpp2YiAN
xfkoL8Z/7tk9I9tSPKVQooqtYz3cRiUD2+lO0GiJ0Jijn2aVw7/I1nES9A/zKVn0
ZfuSbFASGLml2QyRE+ar
=8JhZ
-----END PGP SIGNATURE-----


Reply to: