subject:"Bug#1068694\: bullseye\-pu\: package json\-smart\/2.2\-2\+deb11u1"

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-05-20 Thread Adam D. Barratt

On Mon, 2024-04-22 at 17:57 +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> On Tue, Apr 09, 2024 at 10:01:11AM +0200, Andreas Beckmann wrote:
> > +++ b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
> > @@ -0,0 +1,27 @@
> > +From: HAPPY 
> 
> Well if that doesn't tickle my antennae nothing will :)
> 
> Please go ahead.

It looks like the bookworm update didn't make it to stable-new (and
thus p-u) yet, so the bullseye update is stuck in oldstable-new so as
not to cause version skew.

Regards,

Adam

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-22 Thread Jonathan Wiltshire

Control: tag -1 confirmed

On Tue, Apr 09, 2024 at 10:01:11AM +0200, Andreas Beckmann wrote:
> +++ b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
> @@ -0,0 +1,27 @@
> +From: HAPPY 

Well if that doesn't tickle my antennae nothing will :)

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Bastien Roucariès

Le samedi 13 avril 2024, 14:01:24 UTC Bastien Roucariès a écrit :
> Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit :
> Hi,
> 
> > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: bullseye
> > > User: release.debian@packages.debian.org
> > > Usertags: pu
> > > X-Debbugs-Cc: Bastien Roucariès 
> > > Control: affects -1 + src:json-smart
> > > Control: block 1039985 with -1
> > > Control: block 1033474 with -1
> > > 
> > > [ Reason ]
> > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
> > > causing version skew on upgrades:
> > 
> > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable
> > is a pre condition for a point update.
> > 
> > Bastien, since you fixed it in buster-lts, can you please also take care
> > of addressing unstable?

Done
> 
> 
> Ok will do
> > 
> > Cheers,
> > Moritz
> > 
> 
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Bastien Roucariès

Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit :
Hi,

> Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: Bastien Roucariès 
> > Control: affects -1 + src:json-smart
> > Control: block 1039985 with -1
> > Control: block 1033474 with -1
> > 
> > [ Reason ]
> > Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
> > causing version skew on upgrades:
> 
> CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable
> is a pre condition for a point update.
> 
> Bastien, since you fixed it in buster-lts, can you please also take care
> of addressing unstable?


Ok will do
> 
> Cheers,
> Moritz
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Moritz Mühlenhoff

Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: Bastien Roucariès 
> Control: affects -1 + src:json-smart
> Control: block 1039985 with -1
> Control: block 1033474 with -1
> 
> [ Reason ]
> Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
> causing version skew on upgrades:

CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable
is a pre condition for a point update.

Bastien, since you fixed it in buster-lts, can you please also take care
of addressing unstable?

Cheers,
Moritz

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-09 Thread Andreas Beckmann

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Bastien Roucariès 
Control: affects -1 + src:json-smart
Control: block 1039985 with -1
Control: block 1033474 with -1

[ Reason ]
Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
causing version skew on upgrades:

 json-smart | 2.2-1 | stretch | source
 json-smart | 2.2-2 | buster  | source
 json-smart | 2.2-2 | bullseye| source
 json-smart | 2.2-2 | bookworm| source
 json-smart | 2.2-2 | trixie  | source
 json-smart | 2.2-2 | sid | source
 json-smart | 2.2-2+deb10u1 | buster-security | source

[ Impact ]
Unfixed CVEs.
Versions going backward and confusing QA tools.

[ Tests ]
Build-time testsuite contains a new test.

[ Risks ]
Fixed version in buster-lts for one year already.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  NMU in DELAYED

[ Changes ]
 debian/changelog   |  26 
 debian/control |   4 +-
 .../patches/0004-CVE-2021-31684-Fix-indexOf.patch  |  27 
 ...70-stack-overflow-due-to-excessive-recurs.patch | 156 +
 debian/patches/01-bundle-dependencies.patch|  15 +-
 debian/patches/02-ignore-failing-tests.patch   |  16 ++-
 debian/patches/series  |   2 +
 7 files changed, 237 insertions(+), 9 deletions(-)

json-smart (2.2-2+deb11u1) bullseye; urgency=medium

  * Non-maintainer upload.
  * Update Vcs-* URLs to point to salsa.debian.org.
  * Rebuild for bullseye.  (Closes: #1039985)

 -- Andreas Beckmann   Tue, 09 Apr 2024 09:36:58 +0200

json-smart (2.2-2+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * CVE-2023-1370: stack overflow due to excessive recursion
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
parses an array or an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays or
objects. Since the parsing of nested arrays and objects is done
recursively, nesting too many of them can cause a stack exhaustion
(stack overflow) and crash the software. (Closes: #1033474)
  * CVE-2021-31684: Fix indexOf
A vulnerability was discovered in the indexOf function of
JSONParserByteArray in JSON Smart versions 1.3 and 2.4
which causes a denial of service (DOS)
via a crafted web request.

 -- Bastien Roucariès   Wed, 29 Mar 2023 22:21:33 +

[ Other info ]
n/a

Andreas
diff --git a/debian/changelog b/debian/changelog
index 70116d2..f9cd61d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+json-smart (2.2-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Update Vcs-* URLs to point to salsa.debian.org.
+  * Rebuild for bullseye.  (Closes: #1039985)
+
+ -- Andreas Beckmann   Tue, 09 Apr 2024 09:36:58 +0200
+
+json-smart (2.2-2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * CVE-2023-1370: stack overflow due to excessive recursion
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software. (Closes: #1033474)
+  * CVE-2021-31684: Fix indexOf
+A vulnerability was discovered in the indexOf function of
+JSONParserByteArray in JSON Smart versions 1.3 and 2.4
+which causes a denial of service (DOS)
+via a crafted web request.
+
+ -- Bastien Roucariès   Wed, 29 Mar 2023 22:21:33 +
+
 json-smart (2.2-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/control b/debian/control
index 6488a01..deb7c40 100644
--- a/debian/control
+++ b/debian/control
@@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg 
 Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
 Build-Depends-Indep: libmaven-bundle-plugin-java, junit
 Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Vcs-Browser: https://salsa.debian.org/java-team/json-smart
+Vcs-Git: https://salsa.debian.org/java-team/json-smart.git
 Homepage: http://netplex.github.io/json-smart/
 
 Package: libjson-smart-java
diff --git a/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch 
b/debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch
new file mode 100644
index 000..d085f43
--- /dev/null
+++

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

6 matches

Site Navigation

Mail list logo

Footer information