Your message dated Tue, 02 May 2017 15:37:33 +0000
with message-id <e1d5zrp-000esx...@fasolo.debian.org>
and subject line Bug#861521: fixed in libxstream-java 1.4.9-2
has caused the Debian Bug report #861521,
regarding libxstream-java: CVE-2017-7957
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.7-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libxstream-java.

CVE-2017-7957[0]:
| XStream through 1.4.9, when a certain denyTypes workaround is not used,
| mishandles attempts to create an instance of the primitive type 'void'
| during unmarshalling, leading to a remote application crash, as
| demonstrated by an xstream.fromXML("&lt;void/&gt;") call.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
[1] https://x-stream.github.io/CVE-2017-7957.html

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.9-2

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 May 2017 16:52:35 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source
Version: 1.4.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libxstream-java - Java library to serialize objects to XML and back again
Closes: 861521
Changes:
 libxstream-java (1.4.9-2) unstable; urgency=medium
 .
   * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
     type 'void' during unmarshalling lead to a remote application crash.
     (Closes: #861521)
Checksums-Sha1:
 0ce974ed59cff6e25d0c1cb82009f52005d38e2f 2431 libxstream-java_1.4.9-2.dsc
 fd91078c6f20a50939ff914992bff99372ed1644 7296 
libxstream-java_1.4.9-2.debian.tar.xz
 856a710d96a25e89b0c77b7c2a3cbd3381610437 15564 
libxstream-java_1.4.9-2_source.buildinfo
Checksums-Sha256:
 c5b18692bc34456b0b8811f54c691472d584309ddd5a95bb78e8f07a08164c85 2431 
libxstream-java_1.4.9-2.dsc
 9424291371ec48fedcd5a1f9d640a9578c3233e9aa6338144e4fe2d30a87c0e5 7296 
libxstream-java_1.4.9-2.debian.tar.xz
 c7e33ecb5b1bba414f8c1caf2cb2b1c0900d5e46c7743f209fbbaf37f518e26f 15564 
libxstream-java_1.4.9-2_source.buildinfo
Files:
 b0c3f3ae48096a83f69463d08a2f4542 2431 java optional libxstream-java_1.4.9-2.dsc
 3979f2c314928f8374789e417a496fd3 7296 java optional 
libxstream-java_1.4.9-2.debian.tar.xz
 ce70e4223f2cc1fcc99a3e3c7642228b 15564 java optional 
libxstream-java_1.4.9-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlkIn6oSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsQzsP/iP52EybvHSndZPiBEvVWR/v7ajZDdgW
QPYKEb1JRF9fixOQhJfNXbN9uBT94+5nh+cmJL21yt906FvdvnNOR7feR6YW91if
Rv3pbQ1Mo0BhaHZ4DIe0TQMNyV+C2TMWIIh8h8WMBx7iVUrGuMnWMbEmPWOVhIJF
xBMUXeKKATmy0uRZOADPKWuXPfODLFHISP9LUn4kGOznEKWhbrT3C39tnYpQOPFZ
dPcSiE1IFiS7KKog4aWeODn5dU4Tt5dxaOBxSdIgth/rgWA2m/L70jbAYvvIGBnV
UZmIA4l+tPw2FIVPxuLHsVmFZfm69MQHqZ23TEdq2TewDax4Ah83NbACjQEw9k9x
f9nj7F4uYkfbvLHqQskcgOBXum/iGfcz5WdLVcbQlzv6rqLdx8HZIG4wSmduwYNh
kOWo4KaFgKeqeZKuUw1q8dB6KG7Vv/hqFgMvTamTbeeqwb3OixvWlnPMRCHdy6SJ
pam+tE2LU6Gy/kXn5qMOZ9qQFJDi7FoK26bQTvbhcnaaJIRfMsqVTaXiIJM6ivRA
xrqAHvdrLARwoOISWCx5dfhpvhklPg+9Bu/nTsby9et/1IJqIt0IAGgWNoShazBY
2b1LntvTI1Vvm++uqSoqVf7fiDUrD0ZqF92w+zsPFti0KBLQfaNSKGHVQXne6sKS
p0BWUqptpjHs
=xBUM
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to