Forum: >>> Magnum BBS <<<

Bug#1106287: jgit: CVE-2025-4949

From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Thu May 22 17:40:02 2025

Source: jgit
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for jgit.

CVE-2025-4949[0]:
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the
| ManifestParser class used by the repo command and the AmazonS3 class
| used to implement the experimental amazons3 git transport protocol
| allowing to store git pack files in an Amazon S3 bucket, are
| vulnerable to XML External Entity (XXE) attacks when parsing XML
| files. This vulnerability can lead to information disclosure, denial
| of service, and other security issues.

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281 https://gitlab.eclipse.org/security/cve-assignement/-/issues/64

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-4949
https://www.cve.org/CVERecord?id=CVE-2025-4949

Please adjust the affected versions in the BTS as needed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	489
Nodes:	16 (2 / 14)
Uptime:	32:49:19
Calls:	9,667
Calls today:	2
Files:	13,716
Messages:	6,168,945