Security Vulnerability Patch in YouTrack 6.5.17031

Valerie Andrianova

Please welcome a fresh YouTrack 6.5.17031 update. This minor release is very important, because it contains a fix for the recently discovered vulnerability to XML External Entity (XXE) attack. It affects XML-based REST API, such as user import or command intellisense API. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the YouTrack host machine. This OWASP article explains the vulnerability in details.

We strongly recommend all our stand-alone customers to upgrade to the latest YouTrack 6.5.17031 build. If you’re using the older YouTrack version, please consider settings the following java start parameters to mitigate the attack:

-Djavax.xml.accessExternalDTD=

-Djavax.xml.accessExternalSchema=

-Djavax.xml.accessExternalStylesheet=

Please note, that parameter values are intentionally left blank. Please refer to the documentation if unsure how to set them.

All the InCloud servers are already upgraded to the latest build.

For more details about the changes made in this build, please check the Release Notes.

The Drive to Develop

– YouTrack JetBrains Team

Subscribe to YouTrack Blog updates

Subscribe form

By submitting this form, I agree to the JetBrains Privacy Policy Notification icon

By submitting this form, I agree that JetBrains s.r.o. ("JetBrains") may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.

Submit

Thanks, we've got you!