SCIENTIFIC-LINUX-ERRATA Archives

August 2015

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

Options: Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Content-Type:
text/plain; charset="utf-8"
Date:
Mon, 31 Aug 2015 14:15:41 +0000
Reply-To:
Subject:
MIME-Version:
1.0
Message-ID:
Content-Transfer-Encoding:
quoted-printable
Sender:
Security Errata for Scientific Linux <[log in to unmask]>
From:
Pat Riehecky <[log in to unmask]>
Parts/Attachments:
text/plain (36 lines)
Synopsis:          Important: jakarta-taglibs-standard security update
Advisory ID:       SLSA-2015:1695-1
Issue Date:        2015-08-31
CVE Numbers:       CVE-2015-0254
--

It was found that the Java Standard Tag Library (JSTL) allowed the
processing of untrusted XML documents to utilize external entity
references, which could access resources on the host system and,
potentially, allowing arbitrary code execution. (CVE-2015-0254)

Note: additional configuration may be required:

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use.
Java8: External entity access is automatically disabled if a
       SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access.
       See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: 
    A new system property org.apache.taglibs.standard.xml.accessExternalEntity may
    be used to specify the protocols that can be used to access external
    entities. This defaults to “all” if no SecurityManager is present and
    to “” (thereby disabling access) if a SecurityManager is detected.
--

SL6
  noarch
    jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm
    jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm
SL7
  noarch
    jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm
    jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2