LISTSERV 16.5 - SCIENTIFIC-LINUX-ERRATA Archives

Synopsis:          Important: jakarta-taglibs-standard security update
Advisory ID:       SLSA-2015:1695-1
Issue Date:        2015-08-31
CVE Numbers:       CVE-2015-0254
--

It was found that the Java Standard Tag Library (JSTL) allowed the
processing of untrusted XML documents to utilize external entity
references, which could access resources on the host system and,
potentially, allowing arbitrary code execution. (CVE-2015-0254)

Note: additional configuration may be required:

This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use.
Java8: External entity access is automatically disabled if a
       SecurityManager is active.
Java7: JAXP properties may need to be used to disable external access.
       See http://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html
Java6 and earlier: 
    A new system property org.apache.taglibs.standard.xml.accessExternalEntity may
    be used to specify the protocols that can be used to access external
    entities. This defaults to “all” if no SecurityManager is present and
    to “” (thereby disabling access) if a SecurityManager is detected.
--

SL6
  noarch
    jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm
    jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm
SL7
  noarch
    jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm
    jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm

- Scientific Linux Development Team