Your message dated Tue, 29 Mar 2016 11:19:23 +0000
with message-id <[email protected]>
and subject line Bug#819455: fixed in libxstream-java 1.4.9-1
has caused the Debian Bug report #819455,
regarding libxstream-java: CVE-2016-3674: XXE vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819455: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.2-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/x-stream/xstream/issues/25
Hi,
the following vulnerability was published for libxstream-java.
CVE-2016-3674[0]:
XXE vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3674
[1] https://github.com/x-stream/xstream/issues/25
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.9-1
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <[email protected]> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 29 Mar 2016 12:05:49 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Bourg <[email protected]>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Closes: 819455
Changes:
libxstream-java (1.4.9-1) unstable; urgency=medium
.
* New upstream release
- Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
- Ignore the new xstream-jmh module
- Updated the Maven rules
* No longer build the xstream-benchmark module (never used in Debian)
* Build with maven-debian-helper
* Depend on libcglib-nodep-java instead of libcglib3-java
* Standards-Version updated to 3.9.7 (no changes)
* Use secure Vcs-* fields
* Updated the old references to codehaus.org
Checksums-Sha1:
4cf4ec64900223bfa333836874027744232d8547 2392 libxstream-java_1.4.9-1.dsc
0495145c1d88722ee4331265a30ce93d5dab6bda 419660
libxstream-java_1.4.9.orig.tar.xz
1dbdca9aeee30d1d5f6e143103a9381cfc5c562d 6232
libxstream-java_1.4.9-1.debian.tar.xz
9afd8dacf870f8b4db79264868900bb91f95c5da 499872 libxstream-java_1.4.9-1_all.deb
Checksums-Sha256:
3967f17b4675a4fce56e09a1620e27961652a023634875322bb3ebe9c1929702 2392
libxstream-java_1.4.9-1.dsc
f97c2c723e03892859c69242397815a00b10ae1da0ca78d6c9b1f51397752c66 419660
libxstream-java_1.4.9.orig.tar.xz
7db86593bc736a00d87ee936af11e925c1ccbd37fb0dd63457dbf0407972b376 6232
libxstream-java_1.4.9-1.debian.tar.xz
94f28584d0e3fef8cf6fa81d29bce93107007787ff183713eb03a6025c068c27 499872
libxstream-java_1.4.9-1_all.deb
Files:
b2652b2d00e8de2f643097f1cc2be922 2392 java optional libxstream-java_1.4.9-1.dsc
259d2a02e54c3b6deb41fe2861f74d87 419660 java optional
libxstream-java_1.4.9.orig.tar.xz
8e8386e823bf938d034334275c18144a 6232 java optional
libxstream-java_1.4.9-1.debian.tar.xz
442e2b05d0c401f70c0f2032676da156 499872 java optional
libxstream-java_1.4.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW+l73AAoJEPUTxBnkudCsCVUP/03hGK1opaaLdbhgrMK41rFx
O+HJk792poaRyXiOk8EQ1kM4YOeOacseLOq/YBEfCOAys2uSH6gi3GYydfINV7wM
BOkBXGDUjas2PREl1nEXbORV+NQqsK9CfBvBa3TRcDosTiZ7EGP7HRTigYSJ/a2s
2onFr+b2g+7YhEU97Sn7sj1zLh5XOD7FdNenHSbQUlS/++FSmqCfIezdbzyPinsS
RkP4oXtiglt6sTdj+vvvIiG3TfyoDhMn/QXu56WAfunOdG8JKSS5kk/YKh3jnG1c
8OxmwSZgrSJz4nqSiz81jA/lT43P1kx3CnKlAqmVjh9p4BCi3W81giOs21lH1D2s
7/SFniF+nSc/H/wqwhSKE6dEMiHMFxEAHe4juI3LVBmHRkdW49FboHDCWvYw0Vxu
aqMVl2ehT6hamv4rTdCToLhgKtummrberPCqrmmfRLq0jT7ZLUHEcay9stqA7ckY
gFQSoVCyRLnEDi/Mpdayj8Nxri4MpLeBDy7slCEjLfdWZBVSplpjRlXZbRiz4ec9
exEndrZCI4vwLkQcM1BIEDmqp4VabtIYc8sX7n1tg6NwVh592ftDtwjypLXSm+KV
iTmrfcgmBJ1NQ4A9hVS2Wo3E8+3JvhWfHotwGcPOhQ4L1Fz5W+TrItx2Q8QoHDGn
lNuuu13EmnnlwZWUBAW/
=QWIL
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
