Security Information / 2016 / Security Information -- DSA-3679-1 jackrabbit

Debian Security Advisory

DSA-3679-1 jackrabbit -- security update

Date Reported:

27 Sep 2016

Affected Packages:

jackrabbit

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 838204.
In Mitre's CVE dictionary: CVE-2016-6801.

More information:

Lukas Reschke discovered that Apache Jackrabbit, an implementation of the Content Repository for Java Technology API, did not correctly check the Content-Type header on HTTP POST requests, enabling Cross-Site Request Forgery (CSRF) attacks by malicious web sites.

For the stable distribution (jessie), this problem has been fixed in version 2.3.6-1+deb8u2.

For the unstable distribution (sid), this problem has been fixed in version 2.12.4-1.

We recommend that you upgrade your jackrabbit packages.