Your message dated Sat, 27 May 2017 12:33:35 +0000 with message-id <[email protected]> and subject line Bug#861521: fixed in libxstream-java 1.4.7-2+deb8u2 has caused the Debian Bug report #861521, regarding libxstream-java: CVE-2017-7957 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: libxstream-java Version: 1.4.7-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2017-7957[0]: | XStream through 1.4.9, when a certain denyTypes workaround is not used, | mishandles attempts to create an instance of the primitive type 'void' | during unmarshalling, leading to a remote application crash, as | demonstrated by an xstream.fromXML("<void/>") call. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957 [1] https://x-stream.github.io/CVE-2017-7957.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxstream-java Source-Version: 1.4.7-2+deb8u2 We believe that the bug you reported is fixed in the latest version of libxstream-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <[email protected]> (supplier of updated libxstream-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 02 May 2017 17:21:00 +0200 Source: libxstream-java Binary: libxstream-java Architecture: source all Version: 1.4.7-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <[email protected]> Changed-By: Emmanuel Bourg <[email protected]> Description: libxstream-java - Java library to serialize objects to XML and back again Closes: 861521 Changes: libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high . * Fixed CVE-2017-7957: Attempts to create an instance of the primitive type 'void' during unmarshalling lead to a remote application crash. (Closes: #861521) Checksums-Sha1: d25f4281ba672a2464854d0784e528a0399d8be6 2379 libxstream-java_1.4.7-2+deb8u2.dsc afb5b08722242b85a216e1b4c4831a04337507e7 8672 libxstream-java_1.4.7-2+deb8u2.debian.tar.xz 89559bdaa63ee5d57e0b7462c0f4789bb75f74d1 585434 libxstream-java_1.4.7-2+deb8u2_all.deb Checksums-Sha256: cdf41bea7486afaacf0dbc367514871beacffddd36564ed5cf0b596b28f14c61 2379 libxstream-java_1.4.7-2+deb8u2.dsc 62a1c99b99dc6466149708827e13f945047e7e97c590375061d44b7849b39533 8672 libxstream-java_1.4.7-2+deb8u2.debian.tar.xz f21a9c0f661849d3d13d77e1ee8ee00189370fa34b1a93713c591cabbdb9c443 585434 libxstream-java_1.4.7-2+deb8u2_all.deb Files: 9c0b26bc15f1d7bc2632018ee91c3504 2379 java optional libxstream-java_1.4.7-2+deb8u2.dsc ea1a4f81161faa5543a846be8aca3305 8672 java optional libxstream-java_1.4.7-2+deb8u2.debian.tar.xz b66a0b5b4d706151bdbb83aa882e30c2 585434 java optional libxstream-java_1.4.7-2+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZCOXGAAoJEPUTxBnkudCss58P/0vthytF/PN94TAsVnW/uGVy xua2V2dctuBAPPzTfKdGfuNQjjgnlklWlwXlWguXqcqUBq+fvoWcUXm/ZSDfaQPp wFG7G+A1xoumRTorwZr0A45041A9qfcbbyokZjS3UA1+/NSjm5NA5Uqjz5Gv1Ff6 t8XVtCdvbzJWf84kuhSoXoOxPhZXZVPF1q4rFQ+XsAIVjctMiTp+4Wj+MO7JveNm nC5IJIy7a1PyB3Z/JeM8pqxPye3zaTOpgRinxfVZ2sP/tlfBQKyA4KkdirmekXw4 PNoLUq6zi3BC/1Uttl/sZ+fEPVdFQ8kRFa1FlWqNgESR0nWXePrkQ/FUleYmriNB 8juIXKs04hPYITWQAhUFDZupunuHvEjd+ATae3ps6loq+tBHb9W9BOHBrca9ge42 uOQ4FVIUpRJXmyo274tbi6XKT7r1NpgAMJiAFqw2+0qJ5recUq3SvT7t9CmfGBdf M+FFIaGSwOZouI8TjCoYUp2UWiO5hY3ssVqEhLUOFhqBy1/O+gPvCAkUF95K/bMv ShoBRnFS+gxoqkXDU7Rx5KCPVmS0MjKYrXv3NC+5t4We9ryfSk9zsEBPRaeIuq6f PPwj9z50EYQTMj0Cp3VxVsiWX75QXee5BsIP+Mx2at3gh1gVUlBH9QVDhUzegg1i FGnLKSkEmooiMrVcH1Sd =MSAA -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
