Bug#1068110: netty: CVE-2024-29025

Source: netty Version: 1:4.1.48-9 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for netty. CVE-2024-29025[0]: | Netty is an asynchronous event-driven network application framework | for rapid

Bug#1067514: commons-configuration2: CVE-2024-29133

Source: commons-configuration2 Version: 2.8.0-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/CONFIGURATION-841 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for commons-configuration2.

Bug#1067513: commons-configuration2: CVE-2024-29131

Source: commons-configuration2 Version: 2.8.0-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/CONFIGURATION-840 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for commons-configuration2.

Bug#1066947: zookeeper: CVE-2024-23944

Source: zookeeper Version: 3.9.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for zookeeper. CVE-2024-23944[0]: | Information disclosure in persistent watchers handling in Apache | ZooKeeper

Bug#1066877: tomcat10: CVE-2024-23672

Source: tomcat10 Version: 10.1.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for tomcat10. CVE-2024-23672[0]: | Denial of Service via incomplete cleanup vulnerability in Apache | Tomcat. It

Bug#1066878: tomcat10: CVE-2024-24549

Source: tomcat10 Version: 10.1.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for tomcat10. CVE-2024-24549[0]: | Denial of Service due to improper input validation vulnerability for | HTTP/2

Bug#1065847: jboss-xnio: CVE-2023-5685

Source: jboss-xnio Version: 3.8.10-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jboss-xnio. CVE-2023-5685[0]: | StackOverflowException when the chain of notifier states becomes |

Bug#1064923: jetty9: CVE-2024-22201

Source: jetty9 Version: 9.4.53-1 Severity: important Tags: security upstream Forwarded: https://github.com/jetty/jetty.project/issues/11256 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jetty9. CVE-2024-22201[0]: | Jetty is a Java based

Bug#1064414: libcommons-compress-java: CVE-2024-26308

Source: libcommons-compress-java Version: 1.25.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.22-1 Hi, The following vulnerability was published for libcommons-compress-java. CVE-2024-26308[0]: | Allocation of Resources

Bug#1064413: libcommons-compress-java: CVE-2024-25710

Source: libcommons-compress-java Version: 1.25.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.22-1 Control: found -1 1.20-1 Hi, The following vulnerability was published for libcommons-compress-java. CVE-2024-25710[0]:

Bug#1064192: openrefine: CVE-2024-23833

Source: openrefine Version: 3.7.7-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for openrefine. Markus, please adjust severity if you think grave/RC severity is not appropriate. openrefine updates

Bug#1062846: libowasp-antisamy-java: CVE-2024-23635

Source: libowasp-antisamy-java Version: 1.7.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libowasp-antisamy-java. CVE-2024-23635[0]: | AntiSamy is a library for performing fast,

Bug#1060754: shiro: CVE-2023-46749

Source: shiro Version: 1.3.2-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for shiro. CVE-2023-46749[0]: | path traversal attack If you fix the vulnerability please also make sure to include

Bug#1060169: axis: CVE-2023-51441

Source: axis Version: 1.4-29 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.4-28 Control: found -1 1.4-28+deb12u1 Hi, The following vulnerability was published for axis. CVE-2023-51441[0]: | ** UNSUPPORTED WHEN ASSIGNED **

Bug#1059726: jline3: CVE-2023-50572

Source: jline3 Version: 3.3.1-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jline3. CVE-2023-50572[0]: | An issue in the component GroovyEngine.execute of jline-groovy | v3.24.1 allows

Bug#1059564: jayway-jsonpath: Update Homepage field

Source: jayway-jsonpath Version: 2.0.0-5 Severity: minor X-Debbugs-Cc: car...@debian.org Hi The homepage referenced in the Homepage control fields redirects to https://github.com/json-path/JsonPath which seems to be the new home. Might be worth updating in any next upload. Regards, Salvatore

Bug#1057423: logback: CVE-2023-6378

On Mon, Dec 04, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote: > Source: logback > Version: 1:1.2.11-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Control: found -1 1:1.2.11-3 > > Hi, >

Bug#1057423: logback: CVE-2023-6378

Source: logback Version: 1:1.2.11-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1:1.2.11-3 Hi, The following vulnerability was published for logback. CVE-2023-6378[0]: | A serialization vulnerability in logback receiver

Bug#1057315: tiles: CVE-2023-49735

Control: clone -1 -2 -3 Control: retitle -2 tiles: Add README.Debian.security to document support status Control: reassign -3 src:debian-security-support Control: retitle -3 Mark tiles as only supported for building applications shipped in Debian Hi, On Sun, Dec 03, 2023 at 03:35:31PM +0100,

Bug#1057315: tiles: CVE-2023-49735

Source: tiles Version: 3.0.7-5 Severity: important Tags: security upstream X-Debbugs-Cc: a...@debian.org, ebo...@apache.org, car...@debian.org, Debian Security Team Hi, The following vulnerability was published for tiles. CVE-2023-49735[0]: | ** UNSUPPORTED WHEN ASSIGNED ** The value set as

Bug#1057082: tomcat10: CVE-2023-46589

Source: tomcat10 Version: 10.1.15-1 Severity: important Tags: security upstream fixed-upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for tomcat10. CVE-2023-46589[0]: | Improper Input Validation vulnerability in Apache Tomcat.Tomcat

Bug#1056755: derby: CVE-2022-46337

Source: derby Version: 10.14.2.0-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/DERBY-7147 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for derby. CVE-2022-46337[0]: | A cleverly devised

Bug#1056754: bouncycastle: CVE-2023-33202

Source: bouncycastle Version: 1.72-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for bouncycastle. CVE-2023-33202[0]: | Bouncy Castle for Java before 1.73 contains a potential Denial of |

Bug#1054893: undertow: CVE-2023-3223

Source: undertow Version: 2.3.8-2 Severity: important Tags: security upstream Forwarded: https://issues.redhat.com/browse/UNDERTOW-2271 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for undertow. CVE-2023-3223[0]: | A flaw was found in

Bug#1054234: netty: CVE-2023-44487

Source: netty Version: 1:4.1.48-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1:4.1.48-4 Hi, The following vulnerability was published for netty. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server

Bug#1054224: zookeeper: CVE-2023-44981

Source: zookeeper Version: 3.8.0-11 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.4.13-6 Hi, The following vulnerability was published for zookeeper. CVE-2023-44981[0]: | Authorization Bypass Through User-Controlled Key

Bug#1054164: libowasp-antisamy-java: CVE-2023-43643

Source: libowasp-antisamy-java Version: 1.5.3+dfsg-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libowasp-antisamy-java. Note: The severity is set to RC, though 'important' would better fit.

Bug#1053474: snappy-java: CVE-2023-43642

Source: snappy-java Version: 1.1.8.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for snappy-java. CVE-2023-43642[0]: | snappy-java is a Java port of the snappy, a fast C++ |

Bug#1052065: libcommons-compress-java: CVE-2023-42503

Source: libcommons-compress-java Version: 1.22-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libcommons-compress-java. CVE-2023-42503[0]: | Improper Input Validation, Uncontrolled Resource

Bug#1051956: libapache-mod-jk: CVE-2023-41081

Source: libapache-mod-jk Version: 1:1.2.48-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libapache-mod-jk. CVE-2023-41081[0]: | The mod_jk component of Apache Tomcat Connectors in some |

Bug#1051288: axis: CVE-2023-40743

Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it

Bug#1051228: shiro: CVE-2023-34478

Source: shiro Version: 1.3.2-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for shiro. CVE-2023-34478[0]: | Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to | a path traversal

Bug#1040050: bouncycastle: CVE-2023-33201: potential blind LDAP injection attack using a self-signed certificate

Source: bouncycastle Version: 1.72-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for bouncycastle. CVE-2023-33201[0]: | potential blind LDAP injection attack using a self-signed | certificate

Bug#1038979: guava-libraries: CVE-2020-8908 CVE-2023-2976

Source: guava-libraries Version: 31.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for guava-libraries. CVE-2020-8908[0]: | A temp directory creation vulnerability exists in all versions of

Bug#1034824: tomcat9 should not be released with Bookworm

hey all, I was involved with a discussion on site here in Hamburg with Paul about it. On Fri, May 26, 2023 at 10:58:48AM +0200, Moritz Muehlenhoff wrote: > On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote: > > First of all trapperkeeper-webserver-jetty9-clojure should add a build-

Bug#1036706: xerial-sqlite-jdbc: CVE-2023-32697

Source: xerial-sqlite-jdbc Version: 3.40.1.0+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for xerial-sqlite-jdbc. CVE-2023-32697[0]: | SQLite JDBC is a library for accessing and creating

Bug#1034824: tomcat9 should not be released with Bookworm

Hi Markus, On Sat, May 13, 2023 at 06:27:49PM +0200, Markus Koschany wrote: > I have just pushed the necessary changes to our Git repository. > > https://salsa.debian.org/java-team/tomcat9/-/commit/adbd0b0711de66b67278b10e258c47c805e9b993 Do we need to have done more here? When Paul asked on

Bug#1033846: libjettison-java: CVE-2023-1436

Source: libjettison-java Version: 1.5.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/jettison-json/jettison/issues/60 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.5.3-1~deb11u1 Hi, The following vulnerability was published for

Bug#1033475: tomcat9: CVE-2023-28708

Source: tomcat9 Version: 9.0.70-1 Severity: important Tags: security upstream Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=66471 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 9.0.43-2~deb11u4 Control: found -1 9.0.43-2 Hi, The following vulnerability was

Bug#1033474: json-smart: CVE-2023-1370

Source: json-smart Version: 2.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for json-smart. CVE-2023-1370[0]: | [Json-smart](https://netplex.github.io/json-smart/) is a performance | focused,

Bug#1027754: libxstream-java: CVE-2022-41966

Source: libxstream-java Version: 1.4.19-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libxstream-java. CVE-2022-41966[0]: | XStream serializes Java objects to XML and back again. Versions

Bug#1025910: libcommons-net-java: CVE-2021-37533

Source: libcommons-net-java Version: 3.6-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/NET-711 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libcommons-net-java. CVE-2021-37533[0]: |

Bug#1024738: apache-jena: CVE-2022-45136

Source: apache-jena Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi Java maintainers, there is the following vulnerability was published for apache-jena, but there is only little information available. My undestanding is that it still

Bug#1023573: hsqldb: CVE-2022-41853

Source: hsqldb Version: 2.7.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for hsqldb. CVE-2022-41853[0]: | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb | (HyperSQL

Bug#1022554: libjettison-java: CVE-2022-40149

Source: libjettison-java Version: 1.4.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libjettison-java. It is fixed upstream in 1.5.1. CVE-2022-40149[0]: | Those using Jettison to parse

Bug#1022553: libjettison-java: CVE-2022-40150

Source: libjettison-java Version: 1.4.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libjettison-java. CVE-2022-40150[0]: | Those using Jettison to parse untrusted XML or JSON data may be |

Bug#1019218: snakeyaml: CVE-2022-25857

Hi Tony Thanks for the update. On Wed, Sep 28, 2022 at 08:30:07AM -0700, tony mancill wrote: > On Tue, Sep 27, 2022 at 05:41:21PM +0200, Salvatore Bonaccorso wrote: > > > snakeyaml 1.31 has been uploaded to unstable. I will start work on > > > 1.33, which addresses

Bug#1019218: snakeyaml: CVE-2022-25857

Hi Tony, On Tue, Sep 27, 2022 at 08:06:58AM -0700, tony mancill wrote: > On Mon, Sep 05, 2022 at 09:48:33PM +0200, Salvatore Bonaccorso wrote: > > Source: snakeyaml > > Version: 1.29-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://

Bug#1020589: batik: CVE-2022-38398 CVE-2022-38648 CVE-2022-40146

Source: batik Version: 1.14-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for batik. CVE-2022-38398[0]: | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache | XML Graphics

Bug#1019218: snakeyaml: CVE-2022-25857

Source: snakeyaml Version: 1.29-1 Severity: important Tags: security upstream Forwarded: https://bitbucket.org/snakeyaml/snakeyaml/issues/525 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for snakeyaml. CVE-2022-25857[0]: | The package

Bug#1018931: jsoup: CVE-2022-36033: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled

Source: jsoup Version: 1.15.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jsoup. CVE-2022-36033[0]: | jsoup is a Java HTML parser, built for HTML editing, cleaning, | scraping, and

Bug#1016662: libpgjava: CVE-2022-31197: SQL Injection in ResultSet.refreshRow() with malicious column names

Source: libpgjava Version: 42.4.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libpgjava. CVE-2022-31197[0]: | PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to | connect to

Bug#1012314: maven-shared-utils: CVE-2022-29599

Source: maven-shared-utils Version: 3.3.0-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/MSHARED-297 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for maven-shared-utils. CVE-2022-29599[0]: |

Bug#1010693: netty: CVE-2022-24823

Source: netty Version: 1:4.1.48-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for netty. CVE-2022-24823[0]: | Netty is an open-source, asynchronous event-driven network application | framework.

Bug#1010154: libowasp-antisamy-java: CVE-2022-28366 + CVE-2022-28367

Hi! On Mon, Apr 25, 2022 at 01:48:43PM +0100, Neil Williams wrote: > On Mon, 25 Apr 2022 13:39:49 +0100 Neil Williams wrote: > > Please note, the current homepage for libowasp-antisamy-java appears to > > have no commits beyond version 1.5.3 but the change for CVE-2022-29577 > > does match the

Bug#1003894: h2database: CVE-2021-42392

Source: h2database Version: 1.4.197-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for h2database. CVE-2021-42392[0]: | The org.h2.util.JdbcUtils.getConnection

Bug#1002813: apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender

Source: apache-log4j2 Version: 2.17.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3293 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.17.0-1~deb11u1 Control: found -1

Bug#1001891: apache-log4j2: CVE-2021-45105: Certain strings can cause infinite recursion

Hi! On Sat, Dec 18, 2021 at 03:30:16PM +0100, Markus Koschany wrote: > Control: owner -1 ! > > Am Samstag, dem 18.12.2021 um 14:37 +0100 schrieb Salvatore Bonaccorso: > > Source: apache-log4j2 > > Version: 2.16.0-1 > > Severity: grave > > Tags: secur

Bug#1001891: apache-log4j2: CVE-2021-45105: Certain strings can cause infinite recursion

Source: apache-log4j2 Version: 2.16.0-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3230 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.16.0-1~deb11u1 Control: found -1 2.16.0-1~deb10u1 Hi, The following

Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Hi Markus, On Tue, Dec 14, 2021 at 11:45:20PM +0100, Markus Koschany wrote: > Control: owner -1 ! > > Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso: > > Source: apache-log4j2 > > Version: 2.15.0-1 > > Severity: grave > > Tags: security

Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Source: apache-log4j2 Version: 2.15.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.15.0-1~deb11u1 Control: found -1

Bug#1001478: apache-log4j2: CVE-2021-44228:: Remote code injection via crafted log messages

Source: apache-log4j2 Version: 2.13.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3198 https://github.com/apache/logging-log4j2/pull/608 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1

Bug#1001437: netty: CVE-2021-43797: HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling

Source: netty Version: 1:4.1.48-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for netty. CVE-2021-43797[0]: | Netty is an asynchronous event-driven network application framework | for rapid

Bug#1001037: kotlin: CVE-2020-29582

Source: kotlin Version: 1.3.31+~1.0.1+~0.11.12-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi Andrej, Looking at https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/ there is an entry for Kotlin. It is said to be

Bug#994569: libxml-security-java: CVE-2021-40690

Source: libxml-security-java Version: 2.0.10-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libxml-security-java. CVE-2021-40690[0]: | Bypass of the

Bug#992590: jsoup: CVE-2021-37714

Source: jsoup Version: 1.10.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jsoup. CVE-2021-37714[0]: | jsoup is a Java library for working with HTML. Those using jsoup | versions prior to

Bug#991614: apache-directory-server: CVE-2021-33900

Hi Markus, On Sun, Aug 01, 2021 at 05:53:55PM +0200, Salvatore Bonaccorso wrote: > Hi Markus, > > On Sun, Aug 01, 2021 at 05:28:23PM +0200, Markus Koschany wrote: > > On Wed, 28 Jul 2021 17:44:49 +0200 Salvatore Bonaccorso > > wrote: > > > > > Hi, >

Bug#991614: apache-directory-server: CVE-2021-33900

Hi Markus, On Sun, Aug 01, 2021 at 05:28:23PM +0200, Markus Koschany wrote: > On Wed, 28 Jul 2021 17:44:49 +0200 Salvatore Bonaccorso > wrote: > > > Hi, > > > > The following vulnerability was published for apache-directory-server. > > > >

Bug#991614: apache-directory-server: CVE-2021-33900

Source: apache-directory-server Version: 2.0.0~M24-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.0.0~M24-3 Hi, The following vulnerability was published for apache-directory-server. CVE-2021-33900[0]: | While

Bug#991526: libpdfbox2-java: CVE-2021-31811 CVE-2021-31812

Source: libpdfbox2-java Version: 2.0.23-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:libpdfbox-java 1:1.8.16-2 Control: retitle -2 libpdfbox-java: CVE-2021-31811 CVE-2021-31812 Hi, The following

Bug#991188: jetty9: CVE-2021-34429

Hi On Fri, Jul 16, 2021 at 10:44:20PM +0200, Markus Koschany wrote: > Control: owner -1 ! > > Hi, > > Am Freitag, dem 16.07.2021 um 21:16 +0200 schrieb Salvatore Bonaccorso: > > Source: jetty9 > > Version: 9.4.39-2 > > Severity: grave > > Tags:

Bug#991188: jetty9: CVE-2021-34429

Source: jetty9 Version: 9.4.39-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jetty9. CVE-2021-34429[0]: | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 | 11.0.1-11.0.5, URIs can be

Bug#990671: libjdom2-java: CVE-2021-33813

Source: libjdom2-java Version: 2.0.6-2 Severity: important Tags: security upstream Forwarded: https://github.com/hunterhacker/jdom/pull/188 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:libjdom1-java 1.1.3-2 Control: found -1 2.0.6-1 Control:

Bug#990578: jetty9: CVE-2021-34428

Source: jetty9 Version: 9.4.39-1 Severity: important Tags: security upstream Forwarded: https://github.com/eclipse/jetty.project/issues/6277 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jetty9. CVE-2021-34428[0]: | For Eclipse Jetty

Bug#990345: zookeeper: various security issues

[Disclaimer, not the package maintainer, but quickly checked your report for tracking within the security team] On Sat, Jun 26, 2021 at 01:50:44PM +0200, Christoph Anton Mitterer wrote: > Source: zookeeper > Version: 3.4.13-6 > Severity: grave > Tags: security > Justification: user security hole

Bug#989999: jetty9: CVE-2021-28169

Source: jetty9 Version: 9.4.39-1 Severity: important Tags: security upstream Forwarded: https://github.com/eclipse/jetty.project/issues/6263 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jetty9. CVE-2021-28169[0]: | For Eclipse Jetty

Bug#989861: undertow: CVE-2021-3597

Hi, On Mon, Jun 14, 2021 at 10:13:19PM +0200, Salvatore Bonaccorso wrote: > CVE-2021-3597[0]: > No description was found (try on a search engine) Sorry forgot to fill here something sensible. Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debia

Bug#989861: undertow: CVE-2021-3597

Source: undertow Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for undertow, though it is hard to tell if our version is affected, [1] lacks details. CVE-2021-3597[0]: No description was found

Bug#989616: netbeans: Package exists (as source only?) but not installable

[Big disclaimer: I'm not the maintainer but spotted the RC bug filled] Hi, On Tue, Jun 08, 2021 at 03:32:18PM -0400, benjamin melançon wrote: > Source: netbeans > Version: 12.1-3 > Severity: serious > Tags: d-i ftbfs > Justification: fails to build from source > X-Debbugs-Cc:

Bug#989491: libxstream-java: CVE-2021-29505

Source: libxstream-java Version: 1.4.15-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libxstream-java. CVE-2021-29505[0]: | ### Impact The vulnerability may

Bug#961298: Dropping jodd from bullseye

HI, On Tue, May 18, 2021 at 11:05:15PM +0200, Emmanuel Bourg wrote: > Le 2021-05-18 20:39, Moritz Mühlenhoff a écrit : > > > let's remove jodd from bullseye until it gets actually used, ok? I can > > file > > an RM bug with the release team. > > Yes go ahead. For same reason we might consider

Bug#988109: mqtt-client: CVE-2019-0222

Hi Thanks for raising this problem. On Wed, May 05, 2021 at 10:12:34PM +0200, Andreas Beckmann wrote: > Source: mqtt-client > Version: 1.14-1 > Severity: serious > Tags: security > User: debian...@lists.debian.org > Usertags: piuparts > Control: fixed -1 1.14-1+deb9u1 > > Hi, > > CVE-2019-0222

Bug#986008: libpdfbox2-java: CVE-2021-27906

Hi, On Sun, Apr 04, 2021 at 09:05:06PM -0700, tony mancill wrote: > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote: > > Source: libpdfbox2-java > > Version: 2.0.22-1 > > Severity: important > > Tags: security upstream > > Forwarded: http

Bug#986217: netty: CVE-2021-21409

Source: netty Version: 1:4.1.48-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for netty. Strictly speaking this might be disputable as RC severity, but I think it should be reach bullseye and so

Bug#986008: libpdfbox2-java: CVE-2021-27906

Source: libpdfbox2-java Version: 2.0.22-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libpdfbox2-java. CVE-2021-27906[0]: | A

Bug#986006: libpdfbox2-java: CVE-2021-27807

Source: libpdfbox2-java Version: 2.0.22-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libpdfbox2-java. CVE-2021-27807[0]: | A carefully crafted PDF file can trigger an infinite loop while |

Bug#985843: libxstream-java: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351

Source: libxstream-java Version: 1.4.15-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for libxstream-java. CVE-2021-21341[0]: | XStream is a Java library to serialize objects to XML and back

Bug#985221: velocity-tools: CVE-2020-13959

Source: velocity-tools Version: 2.0-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for velocity-tools. CVE-2020-13959[0]: | The default error page for VelocityView in Apache Velocity Tools prior

Bug#985220: velocity: CVE-2020-13936

Source: velocity Version: 1.7-5.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.7-5 Hi, The following vulnerability was published for velocity. CVE-2020-13936[0]: | An attacker that is able to modify Velocity templates may

Bug#984949: xmlgraphics-commons: CVE-2020-11988: SSRF due to improper input validation by the XMPParser

Source: xmlgraphics-commons Version: 2.4-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/XGC-122 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for xmlgraphics-commons. CVE-2020-11988[0]: |

Bug#984948: netty: CVE-2021-21295

Source: netty Version: 1:4.1.48-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for netty. CVE-2021-21295[0]: | Netty is an open-source, asynchronous event-driven network application | framework

Bug#984829: batik: CVE-2020-11987

Source: batik Version: 1.12-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team The following vulnerability was published for batik. CVE-2020-11987[0]: | Apache Batik 1.13 is vulnerable to server-side request forgery, caused | by improper input

Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization

Hi Emmanuel, On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote: > Control: severity -1 important > > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > > > The following vulnerability was published for jodd. I'm filling it as > > RC severity since a

Bug#983664: jackson-dataformat-cbor: CVE-2020-28491

Source: jackson-dataformat-cbor Version: 2.7.8-3 Severity: important Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-dataformats-binary/issues/186 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for

Bug#982580: netty: CVE-2021-21290

hey Markus, [Adding CC to t...@s.do so we can better distribute load on requests] On Fri, Feb 12, 2021 at 08:31:11PM +0100, Markus Koschany wrote: > Control: owner -1 ! > > Hi Salvatore, > > Am Freitag, den 12.02.2021, 07:42 +0100 schrieb Salvatore Bonaccorso: > > Source:

Bug#982590: activemq: CVE-2021-26117

Source: activemq Version: 5.16.0-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/AMQ-8035 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for activemq. CVE-2021-26117[0]: | The optional ActiveMQ

Bug#982580: netty: CVE-2021-21290

Source: netty Version: 1:4.1.48-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1:4.1.33-1+deb10u1 Control: found -1 1:4.1.33-1 Hi, The following vulnerability was published for netty. CVE-2021-21290[0]: | Netty is an

Bug#977683: bouncycastle: diff for NMU version 1.65-1.1

) (Closes: #977683) + + -- Salvatore Bonaccorso Sun, 03 Jan 2021 21:12:39 +0100 + bouncycastle (1.65-1) unstable; urgency=medium * Team upload. diff -Nru bouncycastle-1.65/debian/patches/corrected-constant-time-equals.patch bouncycastle-1.65/debian/patches/corrected-constant-time-equals.patch

Bug#977683: bouncycastle: CVE-2020-28052

Source: bouncycastle Version: 1.65-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for bouncycastle, it affects 1.65 and 1.66 and is fixed in 1.67. CVE-2020-28052[0]:

Bug#977624: libxstream-java: CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling

Source: libxstream-java Version: 1.4.14-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.4.11.1-1+deb10u1 Control: found -1 1.4.11.1-1 Hi, The following vulnerability was published for

  1   2   >