Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Bastien Roucariès
Control: affects -1 + src:json-smart
Control: block 1039985 with -1
Control: block 1033474 with -1
[ Reason ]
Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
causing version skew on upgrades:
json-smart | 2.2-1 | stretch | source
json-smart | 2.2-2 | buster | source
json-smart | 2.2-2 | bullseye| source
json-smart | 2.2-2 | bookworm| source
json-smart | 2.2-2 | trixie | source
json-smart | 2.2-2 | sid | source
json-smart | 2.2-2+deb10u1 | buster-security | source
[ Impact ]
Unfixed CVEs.
Versions going backward and confusing QA tools.
[ Tests ]
Build-time testsuite contains a new test.
[ Risks ]
Fixed version in buster-lts for one year already.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
NMU in DELAYED
[ Changes ]
debian/changelog | 26
debian/control | 4 +-
.../patches/0004-CVE-2021-31684-Fix-indexOf.patch | 27
...70-stack-overflow-due-to-excessive-recurs.patch | 156 +
debian/patches/01-bundle-dependencies.patch| 15 +-
debian/patches/02-ignore-failing-tests.patch | 16 ++-
debian/patches/series | 2 +
7 files changed, 237 insertions(+), 9 deletions(-)
json-smart (2.2-2+deb11u1) bullseye; urgency=medium
* Non-maintainer upload.
* Update Vcs-* URLs to point to salsa.debian.org.
* Rebuild for bullseye. (Closes: #1039985)
-- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200
json-smart (2.2-2+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the LTS team.
* CVE-2023-1370: stack overflow due to excessive recursion
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
parses an array or an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays or
objects. Since the parsing of nested arrays and objects is done
recursively, nesting too many of them can cause a stack exhaustion
(stack overflow) and crash the software. (Closes: #1033474)
* CVE-2021-31684: Fix indexOf
A vulnerability was discovered in the indexOf function of
JSONParserByteArray in JSON Smart versions 1.3 and 2.4
which causes a denial of service (DOS)
via a crafted web request.
-- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 +
[ Other info ]
n/a
Andreas
diff --git a/debian/changelog b/debian/changelog
index 70116d2..f9cd61d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+json-smart (2.2-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Update Vcs-* URLs to point to salsa.debian.org.
+ * Rebuild for bullseye. (Closes: #1039985)
+
+ -- Andreas Beckmann Tue, 09 Apr 2024 09:36:58 +0200
+
+json-smart (2.2-2+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * CVE-2023-1370: stack overflow due to excessive recursion
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software. (Closes: #1033474)
+ * CVE-2021-31684: Fix indexOf
+A vulnerability was discovered in the indexOf function of
+JSONParserByteArray in JSON Smart versions 1.3 and 2.4
+which causes a denial of service (DOS)
+via a crafted web request.
+
+ -- Bastien Roucariès Wed, 29 Mar 2023 22:21:33 +
+
json-smart (2.2-2) unstable; urgency=medium
* Team upload.
diff --git a/debian/control b/debian/control
index 6488a01..deb7c40 100644
--- a/debian/control
+++ b/debian/control
@@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg
Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
Build-Depends-Indep: libmaven-bundle-plugin-java, junit
Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Vcs-Browser: https://salsa.debian.org/java-team/json-smart
+Vcs-Git: https://salsa.debian.org/java-team/json-smart.git
Homepage: http://netplex.github.io/json-smart/
Package: libjson-smart-java
diff --git a/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
new file mode 100644
index 000..d085f43
--- /dev/null
+++