Re: CVE Request: Apache Solr XXE

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/2013 09:55 PM, David Jorm wrote:
> Hi All
>
> Apache Solr 4.3.1, 4.4, 5.0 resolves multiple XXE flaws, as
> described in the following bugs:
>
> https://issues.apache.org/jira/browse/SOLR-3895

Please use CVE-2013-6407 for this issue

> https://issues.apache.org/jira/browse/SOLR-4881

Please use CVE-2013-6408 for this issue

> I have confirmed that these issues can also be exploited on Apache
> Solr 3.6.2. Please assign a CVE ID for these XXE flaws (I think a
> single CVE ID is most appropriate).

These have to be SPLIT, different reporters, and one was in a release
so the second is a classic "incomplete fix for X" CVE as well.

> Thanks



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSmCFDAAoJEBYNRVNeJnmT7fYQAIKOMe+q8PqWDZKN5oMokwVU
R1ukFZ7YIXfoxewUlSHrPBGFEf1Nhwni7luucrm53gCvqIEZ8tUKchirZOud+TVH
kk/cZk5JZEC9IT7kfEqVkVhxz7xUf6/DTLxKiQ7266ehzyvD7Rmii01Dm8Jxdd9h
Bl0EjXMANvVwaKSZjslM8RgA8T9sN/vWWD1GbfEHr9bHETbJ3Mns0LGRtZqzrdcF
r76bW2guIgNODIV+8Y3ZWJ305ZcmZSXD7x+/yYiFGwDIcWeusbokafw++wpqj0Ix
/miP9dAAm/lgyjZwi1Q+lC1UGTf/SPOQkTkwR9N77Gvsk0aRLPUMjDVWFgsNhKnt
7+hD3HB/uarw7qaqC+RdJTvx25kkbFNk7dFDKNxnwvWNa/Nc5a3nkYdJmxzA3u2L
VcXeGhEani8MkWbOCBtLvYi+gyCmSbmJ7W0sTz9yI4ABYVGSDk4DW4/V8sd07Kvd
vnn4eQeR7DbXl/U1zIW+wKoETsbGoYAMC0F64nrnnbfp4IKdVwk1z29FC8eBPCQI
Y2Tj+HEfEq1qNn1ACi1x2HmFKu9PxCpLMaW6s/7fhHC4d3/BBx+S+qkzyI8BLW24
WRgmYvuQuunrN8sI+382cIg7SxocZjqm77ZknSAXqWWLMyF183LUkmxyB806QXtY
P4EQesHGBHubthiQshka
=VPpG
-----END PGP SIGNATURE-----