oss-sec mailing list archives
Re: CVE Request: Apache Solr XXE
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 28 Nov 2013 22:08:20 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/28/2013 09:55 PM, David Jorm wrote:
Hi All Apache Solr 4.3.1, 4.4, 5.0 resolves multiple XXE flaws, as described in the following bugs: https://issues.apache.org/jira/browse/SOLR-3895
Please use CVE-2013-6407 for this issue
https://issues.apache.org/jira/browse/SOLR-4881
Please use CVE-2013-6408 for this issue
I have confirmed that these issues can also be exploited on Apache Solr 3.6.2. Please assign a CVE ID for these XXE flaws (I think a single CVE ID is most appropriate).
These have to be SPLIT, different reporters, and one was in a release so the second is a classic "incomplete fix for X" CVE as well.
Thanks
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSmCFDAAoJEBYNRVNeJnmT7fYQAIKOMe+q8PqWDZKN5oMokwVU R1ukFZ7YIXfoxewUlSHrPBGFEf1Nhwni7luucrm53gCvqIEZ8tUKchirZOud+TVH kk/cZk5JZEC9IT7kfEqVkVhxz7xUf6/DTLxKiQ7266ehzyvD7Rmii01Dm8Jxdd9h Bl0EjXMANvVwaKSZjslM8RgA8T9sN/vWWD1GbfEHr9bHETbJ3Mns0LGRtZqzrdcF r76bW2guIgNODIV+8Y3ZWJ305ZcmZSXD7x+/yYiFGwDIcWeusbokafw++wpqj0Ix /miP9dAAm/lgyjZwi1Q+lC1UGTf/SPOQkTkwR9N77Gvsk0aRLPUMjDVWFgsNhKnt 7+hD3HB/uarw7qaqC+RdJTvx25kkbFNk7dFDKNxnwvWNa/Nc5a3nkYdJmxzA3u2L VcXeGhEani8MkWbOCBtLvYi+gyCmSbmJ7W0sTz9yI4ABYVGSDk4DW4/V8sd07Kvd vnn4eQeR7DbXl/U1zIW+wKoETsbGoYAMC0F64nrnnbfp4IKdVwk1z29FC8eBPCQI Y2Tj+HEfEq1qNn1ACi1x2HmFKu9PxCpLMaW6s/7fhHC4d3/BBx+S+qkzyI8BLW24 WRgmYvuQuunrN8sI+382cIg7SxocZjqm77ZknSAXqWWLMyF183LUkmxyB806QXtY P4EQesHGBHubthiQshka =VPpG -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Apache Solr XXE David Jorm (Nov 28)
- Re: CVE Request: Apache Solr XXE Kurt Seifried (Nov 28)