Debian Security Advisory

DLA-2595-1 velocity -- LTS security update

Date Reported:
17 Mar 2021
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-13936.
More information:

It was discovered that there was a potential arbitrary code execution vulnerability in velocity, a Java-based template engine for writing web applications. It could be exploited by applications which allowed untrusted users to upload/modify templates.

  • CVE-2020-13936

    An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

For Debian 9 Stretch, these problems have been fixed in version 1.7-5+deb9u1.

We recommend that you upgrade your velocity packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: