UbuntuUpdates.org

Package "libdom4j-java"

Name: libdom4j-java

Description:

flexible XML framework for Java

Latest version: 1.6.1+dfsg.3-2ubuntu1.2
Release: xenial (16.04)
Level: security
Repository: universe
Head package: dom4j
Homepage: http://sourceforge.net/projects/dom4j/

Links


Download "libdom4j-java"


Other versions of "libdom4j-java" in Xenial

Repository Area Version
base universe 1.6.1+dfsg.3-2ubuntu1
updates universe 1.6.1+dfsg.3-2ubuntu1.2

Changelog

Version: 1.6.1+dfsg.3-2ubuntu1.2 2020-11-05 18:06:19 UTC

  dom4j (1.6.1+dfsg.3-2ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: XML injection attack
    - debian/patches/07_disable_xsd_support.patch: Drop patch as dom4j is in
      universe in xenial.
    - debian/patches/CVE-2018-1000632.patch: Validate QName inputs - throw
      IllegalArgumentException when qualified name contains disallowed
      character.
    - debian/patches/testng.patch: Build and test AllowedCharsTest to verify
      that CVE-2018-1000632 is correctly addressed.
    - debian/patches/fix_test_names.patch: Fix tests with invalid QNames.
    - debian/control: Add testng, libmsv-java, and librelaxng-datatype-java to
      build-deps.
    - debian/rules: Add testng to ant target and add xsdlib to debian JARs.
    - CVE-2018-1000632

 -- Avital Ostromich <email address hidden> Mon, 26 Oct 2020 13:04:45 -0400

Source diff to previous version
CVE-2018-1000632 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can res

Version: 1.6.1+dfsg.3-2ubuntu1.1 2020-10-14 01:06:18 UTC

  dom4j (1.6.1+dfsg.3-2ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: XEE attack
    - debian/patches/CVE-2020-10683.patch: set more secure defaults for
      SAXReader in src/java/org/dom4j/DocumentHelper.java
    - CVE-2020-10683

 -- Avital Ostromich <email address hidden> Tue, 06 Oct 2020 20:55:42 -0400

CVE-2020-10683 dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is po



About   -   Send Feedback to @ubuntu_updates