Am 08.01.2018 um 20:31 schrieb Salvatore Bonaccorso: [...] > Ok, thanks a lot for double checking. Again, I'm not sure how pressing > the issue is, I'm defering a DSA/no-DSA decision to one of my > teammates. Privilege escalation rings some bells obviously. > > For older versions than 4.3.3, am I right that then the issue is only > introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not > exposing accessible-made members", which is in 4.3.2.Final~3 or is it > more just uncovered there?
I have just uploaded a fix for CVE-2017-7536 to unstable. I think we don't need a DSA for that because libhibernate-validator-java is only needed as a build-dependency for libspring-java in Stretch. I intend to request a stretch-pu instead. I agree with your assessment and I also believe Wheezy and Jessie are not affected because the vulnerable code was introduced in the 4.3 branch. The fix improves commit ab21ca98fd7814bd014e7d8e03de8640f2529352 by taking the security manager into account. Regards, Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.