Your message dated Sat, 31 Dec 2022 10:49:48 +0000
with message-id <[email protected]>
and subject line Bug#1022553: fixed in libjettison-java 1.5.3-1
has caused the Debian Bug report #1022553,
regarding libjettison-java: CVE-2022-40150
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1022553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjettison-java
Version: 1.4.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libjettison-java.
CVE-2022-40150[0]:
| Those using Jettison to parse untrusted XML or JSON data may be
| vulnerable to Denial of Service attacks (DOS). If the parser is
| running on user supplied input, an attacker may supply content that
| causes the parser to crash by Out of memory. This effect may support a
| denial of service attack.
This issue has not yet been fixed upstream at time of writing this
report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-40150
https://www.cve.org/CVERecord?id=CVE-2022-40150
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
[2] https://github.com/jettison-json/jettison/issues/45
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libjettison-java
Source-Version: 1.5.3-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libjettison-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libjettison-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 31 Dec 2022 11:18:53 +0100
Source: libjettison-java
Architecture: source
Version: 1.5.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1022553
Changes:
libjettison-java (1.5.3-1) unstable; urgency=high
.
* Team upload.
* New upstream version 1.5.3.
- Fix CVE-2022-40150, CVE-2022-45685, CVE-2022-45693:
denial of service via stack overflow / out of memory
(Closes: #1022553)
* Declare compliance with Debian Policy 4.6.2.
Checksums-Sha1:
e1517ed93e1dc8df1880b25ca501b3e06726e984 2243 libjettison-java_1.5.3-1.dsc
cd806d8acda7345be602f3ddbeb3a5e30c2f71e2 72810
libjettison-java_1.5.3.orig.tar.gz
d327770928f5d9b27cb0af40d12263664f586222 2964
libjettison-java_1.5.3-1.debian.tar.xz
aa2b596baa42316177803f90fdac5120640148a2 15114
libjettison-java_1.5.3-1_amd64.buildinfo
Checksums-Sha256:
097fdf719f5cc611f0adc99ab0ece63e45e2e0f7c63659af412d0fc54639030e 2243
libjettison-java_1.5.3-1.dsc
c68ff9851b25789467e8168b3e54ada18e21964fae2b1986027e6bf133947920 72810
libjettison-java_1.5.3.orig.tar.gz
95792897208475b673aafa2a954acef4187d02fd64a69fea796a756b6d7806ae 2964
libjettison-java_1.5.3-1.debian.tar.xz
a019f2d7b53dfffa20302e5b8503b9c6445e085fece3965124b279ce9a5d796c 15114
libjettison-java_1.5.3-1_amd64.buildinfo
Files:
190771176c309ca79414b14f4cf10dc4 2243 java optional
libjettison-java_1.5.3-1.dsc
4fe6afb04644a6a85ac23fb35a663935 72810 java optional
libjettison-java_1.5.3.orig.tar.gz
55968f5787a75bcbb1c00fc1a0c88b96 2964 java optional
libjettison-java_1.5.3-1.debian.tar.xz
caeb61f5fc13c2f7ed445a1b3fca1fa0 15114 java optional
libjettison-java_1.5.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOwDThfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkXroQAK6RmGy0YF3lNYIxQamUN2+nCdjZU3HIqtUQ
iKNPrm73Kjt+O/+yX/zYxVjvmRozRcQMM3+Jane32nbPFjO532LNdzdcluZkvhqt
1vobvsJ0gxThEYat3OwlZy9il+3zpRPJyMe/1zG+Is/0zJt/jdWlqxG4M/1P0bc2
F0dA/I/Qe0CUM1uIbcPA1UG+CKFSA1RLxh0KGR17mHOWwyOpzimg4i62r/8VndrT
mVRdFPm3HrZh/4ZO756lPgIvpdItHnDUbYdAxpWxwIrPN0tZ09AgNh8fQ+bKaaZp
qHosFCbS/mLxE6qDLXhR5LsGtdrV5Uw3FyeuQurgERoAPDOHTsasNTYL063cMTbH
GVgf8GrcFE1G/0VNPxOLA04W8BrmHVOniUTcxYsFWsz1Kbzse0DHl/JgCgJlXzjA
FXMCGJHoI/L0ReIqwzyve421+RyADA7TC1vzZB3pfGh8o9RbOrByB52JGadzSb0x
bq6h8xFFba19liE6lget056lahXnsiAMB7g2crSvvqs1K4ZJBh7MWcnHajfCjJoG
cWnj4m/0UYo66RTQ8S81yi6aiPH9z6hpnu6w/d93bIWwZdK6ieuosS6VPGXhwQjr
EUTrcRRDefNWaAIPD36YZ14kRQFfUyQS4p5voookVbFApX4foEdMD+gLoRUg0C6d
5a0qZ0Yv
=C6YR
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
