Bugzilla – Bug 920813
VUL-0: CVE-2015-0254: jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Last modified: 2020-06-11 12:18:09 UTC
found in rh tracker: The following flaw was found in Apache Standard Taglibs: When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution. Upstream announcement: https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E https://bugzilla.redhat.com/show_bug.cgi?id=1198606
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-03-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60928
bugbot adjusting priority
Created attachment 650280 [details] CVE-2015-0254.patch From debian. Slightly refreshed. I sent it to Factory, 13.2 and 13.1 for now.
This is an autogenerated message for OBS integration: This bug (920813) was mentioned in https://build.opensuse.org/request/show/336663 Factory / jakarta-taglibs-standard https://build.opensuse.org/request/show/336664 13.2 / jakarta-taglibs-standard https://build.opensuse.org/request/show/336665 13.1 / jakarta-taglibs-standard
https://build.opensuse.org/request/show/336665 doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073.
(In reply to Johannes Segitz from comment #11) > https://build.opensuse.org/request/show/336665 > doesn't work for 13.1, please have a look at openSUSE:Maintenance:4073. Needs newer xalan, see sr#336705.
openSUSE-SU-2015:1751-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 920813 CVE References: CVE-2015-0254 Sources used: openSUSE 13.2 (src): jakarta-taglibs-standard-1.1.1-255.3.1 openSUSE 13.1 (src): jakarta-taglibs-standard-1.1.1-252.3.1, xalan-j2-2.7.2-262.7.1
Packages submitted: Maintained in Version Request --------------------------------- SLE-12:Update 1.1.1 mr#133577 SLE-11:Update 1.1.1 sr#133578
SUSE-SU-2017:1568-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 920813 CVE References: CVE-2015-0254 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): jakarta-taglibs-standard-1.1.1-255.2 SUSE Linux Enterprise Server 12-SP2 (src): jakarta-taglibs-standard-1.1.1-255.2
Tomas, Marcus, this creates a regression in Manager and our spacewalk-java package does not build any more. https://build.suse.de/package/live_build_log/Devel:Galaxy:Manager:3.1/spacewalk-java/SLE_12_SP2/x86_64 If you have any suggestion it is appreciated, as the patch is quite extensive and we are having a hard time figuring out how to fix this problem. > might be possible in following months if Manager guys succeed with their plan to rule the world :) Oh, we have no such plan, but we are able to build Maven-based packages since years already ;-)
For reference, the regression in comment 20 is tracked in bug 1044804
SUSE-SU-2017:1701-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 920813 CVE References: CVE-2015-0254 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): jakarta-taglibs-standard-1.1.1-234.31.1
released