Source: libjettison-java Version: 1.4.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libjettison-java. CVE-2022-40150[0]: | Those using Jettison to parse untrusted XML or JSON data may be | vulnerable to Denial of Service attacks (DOS). If the parser is | running on user supplied input, an attacker may supply content that | causes the parser to crash by Out of memory. This effect may support a | denial of service attack. This issue has not yet been fixed upstream at time of writing this report. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40150 https://www.cve.org/CVERecord?id=CVE-2022-40150 [1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549 [2] https://github.com/jettison-json/jettison/issues/45 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
