Am 08.01.2018 um 20:31 schrieb Salvatore Bonaccorso:
[...]
> Ok, thanks a lot for double checking. Again, I'm not sure how pressing
> the issue is, I'm defering a DSA/no-DSA decision to one of my
> teammates. Privilege escalation rings some bells obviously.
> 
> For older versions than 4.3.3, am I right that then the issue is only
> introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not
> exposing accessible-made members", which is in 4.3.2.Final~3 or is it
> more just uncovered there?

I have just uploaded a fix for CVE-2017-7536 to unstable. I think we
don't need a DSA for that because libhibernate-validator-java is only
needed as a build-dependency for libspring-java in Stretch. I intend to
request a stretch-pu instead.

I agree with your assessment and I also believe Wheezy and Jessie are
not affected because the vulnerable code was introduced in the 4.3
branch. The fix improves commit ab21ca98fd7814bd014e7d8e03de8640f2529352
by taking the security manager into account.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to