Your message dated Fri, 18 Jun 2021 06:06:12 +0200
with message-id <[email protected]>
and subject line [[email protected]: Accepted libxstream-java
1.4.15-3 (source) into unstable]
has caused the Debian Bug report #989491,
regarding libxstream-java: CVE-2021-29505
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989491
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.15-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libxstream-java.
CVE-2021-29505[0]:
| ### Impact The vulnerability may allow a remote attacker has
| sufficient rights to execute commands of the host only by manipulating
| the processed input stream. No user is affected, who followed the
| recommendation to setup XStream's security framework with a whitelist
| limited to the minimal required types. ### Patches If you rely on
| XStream's default blacklist of the Security Framework, you will have
| to use at least version 1.4.17. ### Workarounds See
| [workarounds](https://x-stream.github.io/security.html#workaround) for
| the different versions covering all CVEs. ### References See full
| information about the nature of the vulnerability and the steps to
| reproduce it in XStream's documentation for
| [CVE-2021-xxxxx](https://x-stream.github.io/CVE-2021-xxxxx.html). ###
| Credits V3geB1rd, white hat hacker from Tencent Security Response
| Center found and reported the issue to XStream and provided the
| required information to reproduce it. ### For more information If you
| have any questions or comments about this advisory: * Open an issue in
| [XStream](https://github.com/x-stream/xstream/issues) * Email us at
| [XStream Google Group](https://groups.google.com/group/xstream-user)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
[1] https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.15-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Jun 2021 21:45:48 +0900
Source: libxstream-java
Architecture: source
Version: 1.4.15-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Hideki Yamane <[email protected]>
Closes: 98949
Changes:
libxstream-java (1.4.15-3) unstable; urgency=medium
.
* Team upload.
* debian/patches
- Add 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch to
deal with CVE-2021-29505 (Closes: 98949)
.
For more detail, see
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
Checksums-Sha1:
a5b6e44cfb68d301a34b205e97ba57006a0a6d45 2369 libxstream-java_1.4.15-3.dsc
8fe6f7566cb05720cf6124001847226ac77f1807 9736
libxstream-java_1.4.15-3.debian.tar.xz
9b2d7caeb9a403b5130cddc1d677bebb15b7991b 16152
libxstream-java_1.4.15-3_amd64.buildinfo
Checksums-Sha256:
84c3d5a1eaffec79a843424698241527d5e346e16ff806a335264ac84d38b71a 2369
libxstream-java_1.4.15-3.dsc
434e608df03221e2c601050dca4b076e67775694ba7e54760e39fe0b81ac5b68 9736
libxstream-java_1.4.15-3.debian.tar.xz
3aa8b741049214c195247ac379815365e54ce4ed05510e96623e67d772804013 16152
libxstream-java_1.4.15-3_amd64.buildinfo
Files:
789e0ead588883f3c9645f07361aa27f 2369 java optional
libxstream-java_1.4.15-3.dsc
594c3230afae127fc440c44bb95a636a 9736 java optional
libxstream-java_1.4.15-3.debian.tar.xz
5a7fa05abd6bb42c04eaed3ecde96476 16152 java optional
libxstream-java_1.4.15-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWOEiL5aWyIWjzRBMXTKNCCqqsUAFAmDMAasACgkQXTKNCCqq
sUCr9g//b/pQektny9Z87zvkpgZ2FgxuSZVTUxA8HD/RkjA2i8dn7RqN98siz6k0
9pkQ3CyukkjKI0ZVON6hobmLwFKVaYkZ+vwntL/PvmXU8mkGDjUI69b/HIsDAODt
mGMM7AJzc5TpHT+xe//Bbq1ZpiZAJIzbp9WbmEQ2MjpzZxHMMrqWiJrWlGWttfso
4MFwHP2NPc5+Hov7dtifEBnSNGO78R83egmay5CCkH3XBao7ttjk8awExrV75QUG
kufZTJti4siu9YdtFzrqCGQ9G9YKUWHkmyIUSHnAkZZ7DHsxKBHlFLcvwB32Gzth
IyvNzneG5kxi7Ui59duBLMiS/nWtt1q+avZQk3VVGumGhl7cpTIm1gk0/urxJIQR
rxyMM0xr3u04gmfOsyMrRezTcXvLHrmuZ+mg1do7kSQ8C9s7lxb+BQPPMjenNfPi
To88Lta1l2nPIiplll46+agRnWfKsQbnlQEhWrgIixWCcSxoO3Tqw4u6IT8/ig3z
rA6mxCJTTPU/mqA6NQJ4iLAYcqTy3ebGUhNJlfkLuOP64yqtEvvTKf4tfgrCw9t7
AFX3M94mnqRKTACk08vc68szDSUw80BmjIR7DNHJZA74tzx53rXmSEXsCLPJ5ytN
Fmrf1tW96l2eE3oYXKr2AQaAQVWckSo+ko7rOiLAD5Bw96GAtsA=
=V3yi
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
