Debian Security Advisory
DSA-3679-1 jackrabbit -- security update
- Date Reported:
- 27 Sep 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 838204.
In Mitre's CVE dictionary: CVE-2016-6801.
- More information:
Lukas Reschke discovered that Apache Jackrabbit, an implementation of the Content Repository for Java Technology API, did not correctly check the Content-Type header on HTTP POST requests, enabling Cross-Site Request Forgery (CSRF) attacks by malicious web sites.
For the stable distribution (jessie), this problem has been fixed in version 2.3.6-1+deb8u2.
For the unstable distribution (sid), this problem has been fixed in version 2.12.4-1.
We recommend that you upgrade your jackrabbit packages.