[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1046-1] lucene-solr security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : lucene-solr
Version        : 3.6.0+dfsg-1+deb7u2
CVE ID         : CVE-2017-3163
Debian Bug     : 867712


lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=<file_name>)
which is vulnerable to path traversal attack. Specifically, this API does not
perform any validation of the user specified file_name parameter. This can
allow an attacker to download any file readable to Solr server process even if
it is not related to the actual Solr index state.

For Debian 7 "Wheezy", this problem has been fixed in version
3.6.0+dfsg-1+deb7u2.

We recommend that you upgrade your lucene-solr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAll9/ugACgkQ+COicpiD
yXyA2w//WIv6ZgQ1Al3pCuQvUP1WnauydzFNsIu17ayRo7UU64T0gSRHVmzsQMQf
/qV4c6FKuN8H7cMWVTPQVIlWxkMj0z++BmGzj+c65N3oO/IIG3CYm2E6N5pPWdMv
HiyMN87Nzj2EnnFfljnOg7m9x4KHtJv/NluB4h/IQWLEw1MuIEVAPWArTE+dXBJI
7MqIl+hFIc32u2MypfAY6ENLQOI5cKQ0Ic88AstmNMbxmlciBOMCXtd0BmPoPoeK
IJQp0K8E92NbHcPKnIRhpK7wHbMh1gMOFDn7YPmuT+QcFY0n/kpHL7Xdw2rVA8nJ
fyZpUleZJpk8oz/8Wb3WEwYHrnccvYHoNwMBEuXu6/95svMV2UoROdsa4ElRs7UX
US9xC7XoVVxSWrJinV+oQ3fL0hpxqYHwGkU5pVuDE57CoMQ5g80tCxkwkLm6o9eB
hiNUG+hzA9Uuxu2eOIWRys3PGWhwccNsP2V3FcdBk//iGiX29WjhbQyomAB4fpmP
hgkc5hG3Ub3GMwIo6fPqgz9zVkQ4hitXA+0Y2CZo1P/jCpd+t7vDouB3h+8cNxU9
CHKwRB5odSmw2G98mCJXZzR5cr6U55WYL+iewxxZ1OrBXQ3JuMykqkPX6MUlKYUH
lF6psiBYhJe8UDJB/fnbfXL+p7Qgy7dnXPs5pg+g0bllkH4HwSY=
=e7Kh
-----END PGP SIGNATURE-----


Reply to: