2024-12-02
ALT-BU-2024-16455-1
Branch sisyphus_riscv64 update bulletin.
Package dom4j updated to version 2.0.3-alt2 for branch sisyphus_riscv64.
Closed vulnerabilities
Published: 2019-03-29
BDU:2020-04038
Уязвимость реализации функции new org.dom4j.io.SAXReader() библиотеки для работы с XML, XPath и XSLT dom4j, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2018-08-20
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-1000632
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- RHSA-2019:0362
- RHSA-2019:0362
- RHSA-2019:0364
- RHSA-2019:0364
- RHSA-2019:0365
- RHSA-2019:0365
- RHSA-2019:0380
- RHSA-2019:0380
- RHSA-2019:1159
- RHSA-2019:1159
- RHSA-2019:1160
- RHSA-2019:1160
- RHSA-2019:1161
- RHSA-2019:1161
- RHSA-2019:1162
- RHSA-2019:1162
- RHSA-2019:3172
- RHSA-2019:3172
- https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
- https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
- https://github.com/dom4j/dom4j/issues/48
- https://github.com/dom4j/dom4j/issues/48
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- [maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
- [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
- [maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
- [maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
- [freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it
- [freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it
- [debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update
- [debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update
- FEDORA-2021-f28c870528
- FEDORA-2021-f28c870528
- FEDORA-2021-8015a8cdc4
- FEDORA-2021-8015a8cdc4
- https://security.netapp.com/advisory/ntap-20190530-0001/
- https://security.netapp.com/advisory/ntap-20190530-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Published: 2020-05-01
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-10683
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2020:0719
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- [velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683
- [velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683
- [freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it
- https://security.netapp.com/advisory/ntap-20200518-0002/
- USN-4575-1
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- openSUSE-SU-2020:0719
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- USN-4575-1
- https://security.netapp.com/advisory/ntap-20200518-0002/
- [freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it
- [velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683
- [velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
Package nbd updated to version 3.26.1-alt1 for branch sisyphus_riscv64.
Closed bugs
Не стартует nbd-server с помощью systemd
Package helix updated to version 24.07-alt2 for branch sisyphus_riscv64.
Closed bugs
Use HELIX_DEFAULT_RUNTIME before build instead of HELIX_RUNTIME at runtime