[SECURITY] [DLA 2404-1] eclipse-wtp security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2404-1] eclipse-wtp security update
From: Markus Koschany <apo@debian.org>
Date: Sat, 10 Oct 2020 01:20:51 +0200
Message-id: <[🔎] 23879c5e-5921-cc08-901c-ddc018f8e2a1@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2404-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
October 09, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : eclipse-wtp
Version        : 3.6.3-3+deb9u1
CVE ID         : CVE-2019-17637

In Eclipse Web Tools Platform, a component of the Eclipse IDE, XML and
DTD files referring to external entities could be exploited to send the
contents of local files to a remote server when edited or validated,
even when external entity resolution is disabled in the user
preferences.

For Debian 9 stretch, this problem has been fixed in version
3.6.3-3+deb9u1.

We recommend that you upgrade your eclipse-wtp packages.

For the detailed security status of eclipse-wtp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/eclipse-wtp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+A8FNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSo0A/+OBRLUAgyW5/fajXV+onFyKs/VXWpyHUYveyF5kMH4h97GR7LAZAZ4uGQ
ZwfvYJ4selQ/5Q0JcGeCFo5aC3jG3tskBLCUCnp5Nza4I5Xk+sedZUFN+i3NVgJS
Y4xoNC2j5fr61gyRQCxISG2g5YrkK6wrVhKC3kUzL7Esy/3HFi2SLH7CeqEMNTcm
jOUIvhYQZfBw8ODaVXz/f9jbTLn7Q8d9EljCkotcugP8p5XXUHfvhRsURpX9EDu3
AtcGKTv0jCw7AOAQOdmB0pekfTq4Cd5jCApc23tZw7eRAXlGSP08Zeq2LXU4try1
kGXXLTlJT1RByuhWoSDh/tLqgjkC6vJli5JbxDihpcEUZsW8qhx+B+K7fU7EeB+3
Rxy7XhNQZim4bflT/y38G+/dzyh7QPe+I/X0KwTQ8HLsblCtW4oXjUdGd8QsHmsJ
mAFtXrxEbiBrXYBXNwllNtcfOM4n5yGdv1jlzgGdTG4zaDvFqAb2bwBH2YeVK1pA
m7PfCFxCfW29sCE+y5PXDPxEqO4PUiRT2Cd/8HSOS2tmE93XTILF6siBcIDzgF+b
6wnzJ+X2ZbXEhhIQcgaHPTHrDjHcSTCZUoLx8zkrVyBN8zHq7UKkm/pqi3lLSm7f
sGpORm4BYyy2cBP3acWPx/QROm1uckNjcRShEaTxfT7QzeuexGU=
=4q33
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2403-1] rails security update
Next by Date: [SECURITY] [DLA 2405-1] httpcomponents-client security update
Previous by thread: [SECURITY] [DLA 2403-1] rails security update
Next by thread: [SECURITY] [DLA 2405-1] httpcomponents-client security update
Index(es):
- Date
- Thread