Package: jackrabbit / 2.3.6-1+deb8u2

Metadata

Package Version Patches format
jackrabbit 2.3.6-1+deb8u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
modules.diff | (download)

pom.xml | 18 0 + 18 - 0 !
1 file changed, 18 deletions(-)

 disable all modules except webdav
servlet_api_25.diff | (download)

jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavRequestImpl.java | 17 17 + 0 - 0 !
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavResponseImpl.java | 9 9 + 0 - 0 !
2 files changed, 26 insertions(+)

 add some methods for servlet api 2.5 compat
CVE 2015 1833.patch | (download)

jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java | 86 86 + 0 - 0 !
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java | 22 3 + 19 - 0 !
jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java | 78 78 + 0 - 0 !
jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java | 1 1 + 0 - 0 !
4 files changed, 168 insertions(+), 19 deletions(-)

 cve-2015-1833


CVE 2016 6801.patch | (download)

jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java | 1 1 + 0 - 0 !
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java | 2 1 + 1 - 0 !
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java | 3 1 + 2 - 0 !
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java | 83 71 + 12 - 0 !
4 files changed, 74 insertions(+), 15 deletions(-)

 cve-2016-6801

The CSRF content-type check for POST requests did not handle missing
Content-Type header fields, nor variations in field values with respect to
upper/lower case or optional parameters. This could be exploited to create a
resource via CSRF.

Backported to the 2.3 branch.