Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Mon, 31 Aug 2015 14:15:41 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific LinuxFrom: Pat Riehecky Subject: Security ERRATA Important: jakarta-taglibs-standard on SL6.x, SL7.x (noarch) MIME-Version: 1.0 Message-ID: <20150831141541.9244.10451@slpackages.fnal.gov> Synopsis: Important: jakarta-taglibs-standard security update Advisory ID: SLSA-2015:1695-1 Issue Date: 2015-08-31 CVE Numbers: CVE-2015-0254 -- It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: additional configuration may be required: This version uses JAXP=E2=80=99s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use. Java8: External entity access is automatically disabled if a SecurityManager is active. Java7: JAXP properties may need to be used to disable external access. See https://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html Java6 and earlier:=20 A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to =E2=80=9Call=E2=80=9D if no SecurityManager is present and to =E2=80=9C=E2=80=9D (thereby disabling access) if a SecurityManager is detected. -- SL6 noarch jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm SL7 noarch jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm - Scientific Linux Development Team lastline