Your message dated Thu, 29 Dec 2022 11:50:05 +0000
with message-id <[email protected]>
and subject line Bug#1027149: fixed in jython 2.7.2+repack1-5
has caused the Debian Bug report #1027149,
regarding jython: CVE-2019-16935
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1027149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jython
X-Debbugs-CC: [email protected]
Severity: normal
Tags: security
Hi,
This also affects Jython:
CVE-2019-16935[0]:
| The documentation XML-RPC server in Python through 2.7.16, 3.x through
| 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field.
| This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
| Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
| untrusted input, arbitrary JavaScript can be delivered to clients that
| visit the http URL for this server.
The fix in cpython was:
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16935
https://www.cve.org/CVERecord?id=CVE-2019-16935
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: jython
Source-Version: 2.7.2+repack1-5
Done: Gilles Filippini <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <[email protected]> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Dec 2022 12:00:40 +0100
Source: jython
Architecture: source
Version: 2.7.2+repack1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Gilles Filippini <[email protected]>
Closes: 1027149
Changes:
jython (2.7.2+repack1-5) unstable; urgency=medium
.
* CVE-2019-16935 (closes: #1027149)
Checksums-Sha1:
a2052ddc344a4b4b73bd92ee6cf285321c66cf55 2205 jython_2.7.2+repack1-5.dsc
f0fa361a3637ecae6f4f3d4d0c778eb809b57e40 22148
jython_2.7.2+repack1-5.debian.tar.xz
a1a01eddad5b9649b5edeac50b542e12fec5731f 13952
jython_2.7.2+repack1-5_amd64.buildinfo
Checksums-Sha256:
541b5da6a86d256b0f8c93bf0d2306d68ab6b3b5a8fdf5c08afb4d0e3ebd5fa0 2205
jython_2.7.2+repack1-5.dsc
02504233fcb5493e59096b522202e5c1340a07543d5d9960ce320feaf348bae9 22148
jython_2.7.2+repack1-5.debian.tar.xz
f5125f396295b50011069645f6357a22cac0df5a03ce6ef06449d7148d77d86e 13952
jython_2.7.2+repack1-5_amd64.buildinfo
Files:
55c0de184bb8dfa8b47bb56adc21a330 2205 python optional
jython_2.7.2+repack1-5.dsc
18fbfcd63c7c1dfef695355463544fbe 22148 python optional
jython_2.7.2+repack1-5.debian.tar.xz
4de0f43befcb3cb603391740a582a580 13952 python optional
jython_2.7.2+repack1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAmOtelwQHHBpbmlAZGVi
aWFuLm9yZwAKCRDv6Gxsf/7Pg6gjB/9yFxMYo8SwC0kuV3sxRYCM7oossnaSV2P7
S9sW42UaNKREV14WCjJHG0CX5a3siPgYebzsqIsytLaUZ7/1i4vnJwZrryByCQ8e
QJKObxeMN5EdDXCtDUE56doZ2mPOQ2XJrdR/bOjGMHfA4J9aKg1+3TutZXC2/cYs
04xHq3jRVkGPrtPtSk60cMvbNLcBb3sDVnnEo8BRgSER2RnOoqdPylvwLwO4rTWY
/iYGE758nkM0z9+APhZBWDRHqzs17lpAsRu/7IOntKM+xj4uUgP3F8B4FgbOqzHZ
ZL/ejodvvcCbjoAY2HeZdP/eBQ6bpbXc9FIEWuIQaBJtNSe3bPcE
=VMo6
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
