Your message dated Thu, 10 Nov 2022 00:49:44 +0000
with message-id <[email protected]>
and subject line Bug#1022554: fixed in libjettison-java 1.5.1-1
has caused the Debian Bug report #1022554,
regarding libjettison-java: CVE-2022-40149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1022554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjettison-java
Version: 1.4.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libjettison-java. It is
fixed upstream in 1.5.1.
CVE-2022-40149[0]:
| Those using Jettison to parse untrusted XML or JSON data may be
| vulnerable to Denial of Service attacks (DOS). If the parser is
| running on user supplied input, an attacker may supply content that
| causes the parser to crash by stackoverflow. This effect may support a
| denial of service attack.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-40149
https://www.cve.org/CVERecord?id=CVE-2022-40149
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
[2] https://github.com/jettison-json/jettison/issues/45
[3]
https://github.com/jettison-json/jettison/commit/395f8625bcf688743872c8e7f59360d372e77811
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libjettison-java
Source-Version: 1.5.1-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libjettison-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libjettison-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Nov 2022 01:09:07 +0100
Source: libjettison-java
Architecture: source
Version: 1.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1022554
Changes:
libjettison-java (1.5.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 1.5.1.
* Fix CVE-2022-40149:
It was discovered that libjettison-java, a collection of StAX parsers and
writers for JSON, was vulnerable to a denial-of-service attack, if the
attacker provided untrusted XML or JSON data. (Closes: #1022554)
Checksums-Sha1:
88de49c57edf10f1ef729593726ab48873244ae0 2243 libjettison-java_1.5.1-1.dsc
f44baa1a3f485ba3ce45af004914f8727ef8b368 71734
libjettison-java_1.5.1.orig.tar.gz
ff724eca54ea76dc464dab6b9b5f0b4c3ca16062 2868
libjettison-java_1.5.1-1.debian.tar.xz
1324e05756ef8dfa06aa25826504a58c796f8a14 14950
libjettison-java_1.5.1-1_amd64.buildinfo
Checksums-Sha256:
a384188a4c3d9deac7bf9238ae1e6d1379a1b23f4c7aaf3100ba8a81558bf697 2243
libjettison-java_1.5.1-1.dsc
d62eb36b7eeb31b913ef342d40a9f1ed751ec41e57db1e31196b5077177d8bce 71734
libjettison-java_1.5.1.orig.tar.gz
72db287811765483a0cec78b8c06ed5ca5e8a11abc3afe3de3522a4f1fc1d7c0 2868
libjettison-java_1.5.1-1.debian.tar.xz
3609341285bda2340d2b7fc4d74add6cf509337384ecae050938832c28a93df8 14950
libjettison-java_1.5.1-1_amd64.buildinfo
Files:
32478dc8ed5ccfe93322c7794d25ed3d 2243 java optional
libjettison-java_1.5.1-1.dsc
c650606708b7832b9afd33d471ac4551 71734 java optional
libjettison-java_1.5.1.orig.tar.gz
fcfa0f7e8fcb58e3f73fcc2ba8829b25 2868 java optional
libjettison-java_1.5.1-1.debian.tar.xz
da0fe8caca1590d3e2f1703903665e53 14950 java optional
libjettison-java_1.5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNsRHNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk6MMP+wRSztbWcZmlFGHrmAlX5yZTtl/2lGAZd72v
kqUiXvUkwYafW2mLEJjotfCX1dm9VfxsL6i11UmgNytZyOhoVjbRxXJG/sE3Oj0T
gK1eEtvn42afCI1nB2x9AbUawEf/DG2+qYS1XgjO4Xx9oL9clFLi+6NZ8FvPGAh2
gJWvt20gvg91hJ+3ESfNROkkHQgw/2uFS9bQHjvNZQny2/iKFbZhKHw/YyBjcpcR
luvVDOapUmbNa2C4TSCu0jb0CAjS+s4pxsysHmcLMMs6GlKyjmLsdPfHukmRgH+q
uWaDDHbbgyVtLsMSdPexJUUgpJ3yVp0OrpSrufPSWUA8kb+YS331newLfIiFz71m
dEEFrMnq3rQCpzA3vXhDkToJah2FOU52mZ4oioNy3QBp+mCyoxJEnZOu2xsywBa/
DYQ83RrljQtp30pbXjwAy7EZG89gP3esh8VoU42L7z9LUgpiGMN931UZWNw3xudO
ZNaQAt7mk+Df17RoWI0xEfyzKxPcEBkxYB7X0H6aHbZshKnddadKkxC/MTcpcRGA
puRK3to9PsIPIwpaAjvOEsiGx9U/Fg7i/pleuOtXVnzvXS3apve34ilJkFyGfCtn
Sl8l4DJzvlUgAKDBoM9WyOf5/fh10cM+hAooGn6RosCft3KkPt9I31uj5fgYV/Al
kb+obn1b
=EtcT
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
