[resteasy] 01/03: Fix CVE-2014-7839: External entities expanded by DocumentProvider (Closes: #770544)
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Nov 24 22:37:54 GMT 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository resteasy.
commit b8d00cbeb708b62b733afdd45fa4cfa52e10d6b3
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Nov 24 23:35:13 2014 +0100
Fix CVE-2014-7839: External entities expanded by DocumentProvider (Closes: #770544)
---
debian/changelog | 8 ++++++++
debian/patches/CVE-2014-7839.diff | 18 ++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 27 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index db71c2b..cb9c7b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+resteasy (3.0.6-2) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2014-7839: External entities expanded by DocumentProvider
+ (Closes: #770544)
+
+ -- Emmanuel Bourg <ebourg at apache.org> Mon, 24 Nov 2014 23:10:47 +0100
+
resteasy (3.0.6-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2014-7839.diff b/debian/patches/CVE-2014-7839.diff
new file mode 100644
index 0000000..9642634
--- /dev/null
+++ b/debian/patches/CVE-2014-7839.diff
@@ -0,0 +1,18 @@
+Description: Fix CVE-2014-7839: External entities expanded by DocumentProvider
+Origin: backport, https://github.com/ronsigal/Resteasy/commit/8b5d8cf
+ https://github.com/ronsigal/Resteasy/commit/dfd2264
+Bug: https://issues.jboss.org/browse/RESTEASY-1130
+Bug-Debian: https://bugs.debian.org/770544
+--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java
++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java
+@@ -71,6 +71,10 @@
+ try
+ {
+ documentBuilder.setExpandEntityReferences(expandEntityReferences);
++ documentBuilder.setFeature("http://xml.org/sax/features/external-general-entities", expandEntityReferences);
++ documentBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", expandEntityReferences);
++ documentBuilder.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
++ documentBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ return documentBuilder.newDocumentBuilder().parse(input);
+ }
+ catch (Exception e)
diff --git a/debian/patches/series b/debian/patches/series
index 194197c..6e15de3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
revert-to-jsr250-api.diff
+CVE-2014-7839.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/resteasy.git
More information about the pkg-java-commits
mailing list