Synopsis: Important: jakarta-taglibs-standard security update
Advisory ID: SLSA-2015:1695-1
Issue Date: 2015-08-31
CVE Numbers: CVE-2015-0254
--
It was found that the Java Standard Tag Library (JSTL) allowed the
processing of untrusted XML documents to utilize external entity
references, which could access resources on the host system and,
potentially, allowing arbitrary code execution. (CVE-2015-0254)
Note: additional configuration may be required:
This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use.
Java8: External entity access is automatically disabled if a
SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access.
See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier:
A new system property org.apache.taglibs.standard.xml.accessExternalEntity may
be used to specify the protocols that can be used to access external
entities. This defaults to “all” if no SecurityManager is present and
to “” (thereby disabling access) if a SecurityManager is detected.
--
SL6
noarch
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm
SL7
noarch
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm
- Scientific Linux Development Team