Bug#895114: libspring-java: CVE-2018-1270 CVE-2018-1272

On Sat, Apr 07, 2018 at 09:46:13AM +0200, Salvatore Bonaccorso wrote: > Source: libspring-java > Version: 4.3.5-1 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > The following vulnerabilities were published for libspring-java, > filling o

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, Sorry for the delay in getting back to you. On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] >

Bug#895114: libspring-java: CVE-2018-1270 CVE-2018-1272

Source: libspring-java Version: 4.3.5-1 Severity: grave Tags: security upstream fixed-upstream Hi, The following vulnerabilities were published for libspring-java, filling only one bug this time since the common set of affected versions for the two is all 4.3 versions and older unsupported

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 >

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Hi Felix, On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: > > > Am 01.04.2018 um 17:57 schrieb Felix Natter: > [...] > > Thanks, done. > > BTW: Is it ok to close the bug with the stretch-security upload even if > > the jessie-security upload is still pending? > > Yes, that's

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Looking at the release-1.5.20 tag: Security fix related to scripts and formulas Security fix related to loading of mind map files Change short cuts for MacOS to avoid collisions The fix might be: https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001 Regards,

Bug#893684: libslf4j-java: CVE-2018-8088: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

Source: libslf4j-java Version: 1.7.25-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://jira.qos.ch/browse/SLF4J-430 Control: found -1 1.7.7-1 Hi, the following vulnerability was published for libslf4j-java. CVE-2018-8088[0]: |

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

For reference: the issue is linked from the security advisory page at https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities . Ahtough there is unfortunately no reference to the fixing commit (which wuould have been good for downstreams to help), we know the versions fixed are

Bug#893174: libcommons-compress-java: CVE-2018-1324: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes

Source: libcommons-compress-java Version: 1.13-1 Severity: important Tags: patch security upstream Forwarded: https://issues.apache.org/jira/browse/COMPRESS-432 Hi, the following vulnerability was published for libcommons-compress-java. CVE-2018-1324[0]: | A specially crafted ZIP archive can be

Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

Hi! On Fri, Mar 02, 2018 at 08:46:51PM +0100, Markus Koschany wrote: > Control: severity -1 important > > I am no longer sure undertow is affected. The issue is marked resolved > upstream and one of the fixing commits > > https://github.com/wildfly/wildfly/pull/10748/files > > indicates the

Bug#891614: jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries

Source: jackson-databind Version: 2.9.4-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/FasterXML/jackson-databind/issues/1931 Hi, the following vulnerability was published for jackson-databind. CVE-2018-7489[0]: | FasterXML

Bug#890352: activemq: CVE-2017-15709: information leak

Source: activemq Version: 5.14.3-3 Severity: important Tags: security upstream Hi, the following vulnerability was published for activemq, filling the bug based on the information available from [0] and [1]. CVE-2017-15709[0]: | When using the OpenWire protocol in ActiveMQ versions 5.14.0 to

Bug#888651: libapache-poi-java: CVE-2017-12626: Denial of Service Vulnerabilities

Source: libapache-poi-java Version: 3.10.1-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for libapache-poi-java, I was not able to verify each other of the upstream bugs, but according to [1] any version prior to 3.17 are affected.

Bug#888530: openjfx: CVE-2018-2581

Source: openjfx Version: 8u151-b12-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for openjfx, apart the CVE description not much is available: CVE-2018-2581[0]: | Vulnerability in the Java SE component of Oracle Java SE | (subcomponent: JavaFX).

Bug#888316: jackson-databind: CVE-2018-5968

Hi Markus, On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: > Hi, > > On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: jackson-databind > > Version: 2.9.1-1 > > Severity: grave > > Tags: pa

Bug#888318: jackson-databind: CVE-2017-17485

On Wed, Jan 24, 2018 at 11:11:13PM +0100, Salvatore Bonaccorso wrote: > Source: jackson-databind > Version: 2.9.1-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855 > > Hi, > > the following vulnerabilit

Bug#888318: jackson-databind: CVE-2017-17485

Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855 Hi, the following vulnerability was published for jackson-databind. CVE-2017-17485[0]: | FasterXML jackson-databind through 2.8.10 and 2.9.x

Bug#888316: jackson-databind: CVE-2018-5968

Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 Control: found -1 2.8.6-1+deb9u2 Control: found -1 2.4.2-2+deb8u2 Hi, the following vulnerability was published for jackson-databind.

Bug#825501: CVE-2016-4434

Hi Faidon, On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote: > On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > >

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Hey! On Mon, Jan 08, 2018 at 06:03:48PM +0100, Markus Koschany wrote: > Hi, > > Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso: > [...] > > So the patched files exits, and similar code flow is present. > > > > I explicitly have not looked (yet)

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Hi Abhijith, hi Markus On Mon, Jan 08, 2018 at 04:01:17PM +0100, Markus Koschany wrote: > Am 08.01.2018 um 13:32 schrieb Abhijith PA: > > Hello. :) > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects > > all 5.x version. But Debian haven't shipped this version yet. And

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Control: found -1 4.3.3-1 Control: tags -1 + upstream fixed-upstream On Thu, Dec 28, 2017 at 10:30:55AM +0100, Salvatore Bonaccorso wrote: > Source: libhibernate-validator-java > Severity: important > Tags: security > > Hi, > > the following vulnerability was publish

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Source: libhibernate-validator-java Severity: important Tags: security Hi, the following vulnerability was published for libhibernate-validator-java. There is unfortunately not much information available, cf. [1]. CVE-2017-7536[0]: Privilege escalation when running under the security manager

Bug#885576: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

Source: undertow Severity: important Tags: security Hi, the following vulnerability was published for undertow. There is not much information available if that incomplete fix affects us as well. Or which this was fixed upstream. I asked for clarification in [1], but might you contact directly

Bug#884241: bouncycastle: CVE-2017-13098

Source: bouncycastle Version: 1.57-1 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for bouncycastle. CVE-2017-13098[0]: | Information leak by distinguish valid and invalid RSA PKCS #1 v1.5 | paddings based on different server responses. If you fix

Bug#879001: Bug#879002: Patch for CVE-2017-12197

Control: forwarded -1 https://github.com/kohsuke/libpam4j/issues/18 Control: tags -1 + patch upstream Hi Raphael, Emmanuel and Markus, On Fri, Nov 03, 2017 at 09:19:56PM +0100, Markus Koschany wrote: > On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg wrote: > > Upstream has

Bug#873392: resteasy: CVE-2017-7561: Vary header not added by CORS filter leading to cache poisoning

Source: resteasy Version: 3.1.0-2 Severity: important Tags: security upstream Forwarded: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 Hi, the following vulnerability was published for resteasy. CVE-2017-7561[0]: Vary header not added by CORS filter leading to cache poisoning

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

Source: openjfx Version: 8u131-b11-1 Severity: grave Tags: upstream security Hi, the following vulnerabilities were published for openjfx. CVE-2017-10086[0] and CVE-2017-10114[1]. Unfortunately it's no more details possilby know as shared via [2], which states that the supported versions

Bug#870848: jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper

Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of

Bug#867712: lucene-solr: CVE-2017-3163

Source: lucene-solr Version: 3.6.2+dfsg-5 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/SOLR-10031 Hi, the following vulnerability was published for lucene-solr. CVE-2017-3163[0]: No description was found (try on a search engine) If you fix the

Bug#864898: jetty9: timing channel in Password.java

Source: jetty9 Version: 9.2.21-1 Severity: important Tags: patch upstream security Forwarded: https://github.com/eclipse/jetty.project/issues/1556 Hi Due to #864631 I realize you are already aware. Filling this bug for tracking purposes since there is no CVE id yet assiged. jetty has a timing

Bug#864859: jython: CVE-2016-4000: Unsafe deserialization leads to code execution

Source: jython Version: 2.5.3-1 Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: http://bugs.jython.org/issue2454 Hi, the following vulnerability was published for jython. CVE-2016-4000[0]: Unsafe deserialization leads to code execution If you fix the

Bug#864447: tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

Source: tomcat8 Version: 8.5.14-1 Severity: important Tags: security patch upstream Control: found -1 8.0.14-1 Hi, the following vulnerability was published for tomcat8. CVE-2017-5664[0]: | The error page mechanism of the Java Servlet Specification requires | that, when an error occurs and an

Bug#861786: activemq: adjust CVE identifier retrospectively in debian/changelog for 5.14.3-3 upload

Source: activemq Version: 5.14.3-3 Severity: minor Hi activemq maintainers, The CVE id was typoed in the 5.14.3-3 upload. To avoid confusion can you consider adjusting the reference on any next upload of activemq? The correct CVE id was CVE-2015-7559. If you have in your team policy to not

Bug#861521: libxstream-java: CVE-2017-7957

Source: libxstream-java Version: 1.4.7-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2017-7957[0]: | XStream through 1.4.9, when a certain denyTypes workaround is not used, | mishandles attempts to create an instance of the

Bug#860866: activemq: CVE-2015-7559: DoS in client via shutdown command

Source: activemq Version: 5.6.0+dfsg1-4 Severity: important Tags: upstream patch security Forwarded: https://issues.apache.org/jira/browse/AMQ-6470 Hi, the following vulnerability was published for activemq. CVE-2015-7559[0]: DoS in client via shutdown command If you fix the vulnerability

Bug#860567: fop: CVE-2017-5661: information disclosure vulnerability

Source: fop Version: 1:1.0.dfsg-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for fop. CVE-2017-5661[0]: | In Apache FOP before 2.2, files lying on the filesystem of the server | which uses FOP can be revealed to arbitrary users who send maliciously

Bug#860566: batik: CVE-2017-5662: information disclosure vulnerability

Source: batik Version: 1.5beta2-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2017-5662[0]: | In Apache Batik before 1.9, files lying on the filesystem of the | server which uses batik can be revealed to arbitrary users who send |

Bug#860489: apache-log4j2: CVE-2017-5645: socket receiver deserialization vulnerability

Source: apache-log4j2 Version: 2.0~beta9-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-1863 Hi, the following vulnerability was published for apache-log4j2. CVE-2017-5645[0]: Apache Log4j socket receiver deserialization vulnerability If you

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Hi, On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote: > Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso: > > Hi Markus, > > > > On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote: > >> Processing control commands: > &g

Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

Hi Markus, On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote: > Processing control commands: > > > merge 860068 860069 860070 860071 > Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647 > Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648 > Marked as found in versions

Bug#860071: tomcat8: CVE-2017-5651

Source: tomcat8 Version: 8.5.11-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5651[0]: |The refactoring of the HTTP connectors for 8.5.x onwards, introduced a |regression in the send file processing. If the send file processing

Bug#860070: tomcat8: CVE-2017-5650

Source: tomcat8 Version: 8.5.11-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5650[0]: |The handling of an HTTP/2 GOAWAY frame for a connection did not close |streams associated with that connection that were currently waiting

Bug#860069: tomcat8: CVE-2017-5648

Source: tomcat8 Version: 8.0.14-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for tomcat8. CVE-2017-5648[0]: |While investigating bug 60718, it was noticed that some calls to |application listeners did not use the appropriate facade object. When

Bug#860068: tomcat8: CVE-2017-5647

Source: tomcat8 Version: 8.0.14-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5647[0] |A bug in the handling of the pipelined requests when send file was |used resulted in the pipelined request being lost when send file

Bug#857343: #857343: logback deserialization vulnerability

Hi Markus, On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote: > Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso: > [...] > > There apparently was a mistake on triaging CVE-2017-5929. > > > > This should be: > > https://security-tracker.de

Bug#851430: CVE-2016-9571

Control: retitle -1 resteasy: CVE-2016-9606 Just a heads up: apparently the CVE was double-assigned, the correct CVE turns out to be CVE-2016-9606. Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1400644#c17 Regards, Salvatore __ This is the maintainer address of Debian's Java team

Bug#857343: #857343: logback deserialization vulnerability

Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Hi Markus, On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote: > Hello security team, > > apparently logback < 1.2.0 is vulnerable to a

Bug#858301: libapache-poi-java: CVE-2017-5644

Source: libapache-poi-java Version: 3.10.1-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libapache-poi-java. CVE-2017-5644[0]: denial-of-service If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities &

Bug#854551: Status of regression fix?

Hi On Wed, Feb 22, 2017 at 12:24:05PM +0100, Nicolas Delvaux wrote: > Hi, > > Do you know when the regression fixes will be available in the security > repository? > > I understand the debdiffs were uploaded to security-master 2 days ago, > but I did not find where we can track the progress.

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Hi Markus, On Sat, Feb 18, 2017 at 07:53:33PM +0100, Markus Koschany wrote: > On 18.02.2017 13:21, Salvatore Bonaccorso wrote: > [...] > > No problem. Thanks for noticing, can you let us know as usual when you > > have a debdiff ready for the regression update? >

Bug#851304: tomcat8 use 100% cpu time

Hi Markus, On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote: > On 17.02.2017 22:09, Salvatore Bonaccorso wrote: > > Hi Markus, hi Emmanuel, > > > > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: > >> On 13.02.2017 08:34, Moritz Mühle

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

Hi Markus, hi Emmanuel, On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: > On 13.02.2017 08:34, Moritz Mühlenhoff wrote: > > On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote: > >> Hi, > >> > >> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems >

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

Hi Markus, On Tue, Jan 24, 2017 at 01:10:00AM +0100, Markus Koschany wrote: > On 23.01.2017 07:23, Salvatore Bonaccorso wrote: > > Hi Markus, > > > > Thanks for looking into the issue. > [...] > > I agree, upstream has not really provided any usefull information, an

Bug#853134: svgsalamander: CVE-2017-5617

Source: svgsalamander Version: 1.1.1+dfsg-1 Severity: important Tags: upstream security Forwarded: https://github.com/blackears/svgSalamander/issues/11 Hi, the following vulnerability was published for svgsalamander. CVE-2017-5617[0]: SSRF issue If you fix the vulnerability please also make

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

Hi Markus, Thanks for looking into the issue. On Sun, Jan 22, 2017 at 09:28:31PM +0100, Markus Koschany wrote: > On Fri, 20 Jan 2017 21:34:16 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: netbeans > > Version: 8.1+dfsg3-1 > > Severity: importa

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

Source: netbeans Version: 8.1+dfsg3-1 Severity: important Tags: security upstream fixed-upstream Control: fixed -1 8.2+dfsg1-1 Hi, the following vulnerability was published for netbeans. CVE-2016-5537[0]: | Unspecified vulnerability in the NetBeans component in Oracle Fusion | Middleware 8.1

Bug#849167: libspring-java: CVE-2016-9878

Source: libspring-java Version: 4.3.4-3 Severity: important Tags: security patch upstream Hi, the following vulnerability was published for libspring-java. CVE-2016-9878[0]: Directory Traversal in the Spring Framework ResourceServlet Interesting, is that the code in

sorry, messed up #840685 and #841655

Hi Emmanuel, Sorry messed up #840685 and #841655. Hope they should be okay again. Salvatore __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and

reassign 840685 to src:tomcat8, closing 840685

# sigh, messed the reassigned/cloned bug ... fixing reassign 840685 src:tomcat8 8.0.14-1 close 840685 8.0.38-1 thanks __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org

Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)

Control: severity -1 normal Control: found -1 8.0.14-1 Hi Paul, On Sat, Oct 15, 2016 at 07:25:59AM +1100, paul.sz...@sydney.edu.au wrote: > Dear Salvatore, > > > You are operating here outside of /tmp (sticky world-writable > > directory) which the above issue for the init scripts relies on, >

Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)

Hi Paul, Markus followed already up, I just want to give some additional comments on the below: On Fri, Oct 14, 2016 at 07:07:52PM +1100, paul.sz...@sydney.edu.au wrote: > Dear Salvatore, > > > ... if the attacher created a symlink between the rm and the mkdir > > then mkdir will still fail

Bug#840685: tomcat8: DSA-3670 incomplete

Hi Paul, hi Markus, On Fri, Oct 14, 2016 at 08:42:11AM +1100, paul.sz...@sydney.edu.au wrote: > Dear Markus, > > >> [ I contacted t...@security.debian.org about this, but no response ... ] > > ... Please send them to the security team > > first and not to a public mailing list. > > I did. They

Bug#840000: libapache-mod-jk: CVE-2016-6808

Hi Markus, On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote: > On 07.10.2016 14:15, Salvatore Bonaccorso wrote: > [...] > > > > Now whilst the affected code is back present in 1.2.0, I need some > > help understanding the actual impact for us. Accord

Bug#840000: libapache-mod-jk: CVE-2016-6808

On Fri, Oct 07, 2016 at 02:15:32PM +0200, Salvatore Bonaccorso wrote: > Can you clarify if this is correct? If so we would mark the CVE as > (unimportant) and thus as well not release a DSA, and a 1:1.2.42 > upload to unstable can then mark the CVE as fixed. ... or actually (Windows

Bug#840000: libapache-mod-jk: CVE-2016-6808

Control: found -1 1:1.2.37-4 Hi On Fri, Oct 07, 2016 at 01:26:00PM +0200, Salvatore Bonaccorso wrote: > Source: libapache-mod-jk > Version: 1:1.2.41-1 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for libapac

Bug#840000: libapache-mod-jk: CVE-2016-6808

Source: libapache-mod-jk Version: 1:1.2.41-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for libapache-mod-jk. CVE-2016-6808[0]: buffer overflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities &

Bug#838600: undertow: CVE-2016-7046: Long URL proxy request lead to java.nio.BufferOverflowException and DoS

Source: undertow Version: 1.4.1-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for undertow. CVE-2016-7046[0]: Long URL proxy request lead to java.nio.BufferOverflowException and DoS If you fix the vulnerability please also make sure to include the

Bug#838204: jackrabbit: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Source: jackrabbit Version: 2.3.6-1 Severity: important Tags: security upstream fixed-upstream Hi, the following vulnerability was published for jackrabbit. CVE-2016-6801[0]: CSRF in Jackrabbit-Webdav using empty content-type For the 2.12.x this has been fixed upstream in 2.12.3, cf. [1], and

Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

Hi Emmanuel, On Mon, Jun 20, 2016 at 10:07:04AM +0200, Emmanuel Bourg wrote: > Le 19/06/2016 à 00:18, tony mancill a écrit : > > > I haven't seen any information as to whether this vulnerability also > > affects the version in stable, 3.2.6. > > I don't think Jessie is affected, the vulnerable

Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

Source: netty Version: 1:4.0.36-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for netty. Can you please double-check this issue. According the upstream all versions 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and fixed in

Bug#819455: libxstream-java: CVE-2016-3674: XXE vulnerability

Source: libxstream-java Version: 1.4.2-1 Severity: important Tags: security upstream fixed-upstream Forwarded: https://github.com/x-stream/xstream/issues/25 Hi, the following vulnerability was published for libxstream-java. CVE-2016-3674[0]: XXE vulnerability If you fix the vulnerability

Bug#809733: activemq: CVE-2015-5254: unsafe deserialization

Source: activemq Version: 5.6.0+dfsg-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for activemq. I'm not very familiar with activemq itself, so I'm reporting this with initial severity grave, but let me know if you disagree.

Bug#797275: jsoup: CVE-2015-6748: XSS vulnerability in jsoup related to incomplete tags at EOF

Source: jsoup Version: 1.6.2-1 Severity: important Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for jsoup. CVE-2015-6748[0]: XSS vulnerability in jsoup related to incomplete tags at EOF If you fix the vulnerability please also make sure to include

Bug#792857: CVE-2014-3576

Hi Emmanual, On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote: The fix has been confirmed by an upstream developer: http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E Any news on an update

Bug#792857: CVE-2014-3576

Hi Emmanuel, On Fri, Aug 14, 2015 at 11:50:18AM +0200, Emmanuel Bourg wrote: Le 14/08/2015 11:42, Salvatore Bonaccorso a écrit : Any news on an update for sid-stretch as well? I can't do it before the end of the month. I'll combine the fix with an update to the version 2.7. I see. I

Bug#792617: elasticsearch: CVE-2015-5377 CVE-2015-5531

Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Hi, the following vulnerabilities were published for elasticsearch. Reporting them right now as severity grave since some details are missed so feel free to

Bug#791957: apache-directory-api: CVE-2015-3250

Source: apache-directory-api Version: 1.0.0~M20-1 Severity: important Tags: security upstream fixed-upstream Hi Emmanuel, the following vulnerability was published for apache-directory-api, filling a bug in the BTS to have it documented. AFAICS no much information but it is fixed in new upstream

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

Hi Hilko On Fri, Jun 12, 2015 at 01:45:15PM +0200, Salvatore Bonaccorso wrote: Hi Hilko, On Fri, Jun 12, 2015 at 01:30:28PM +0200, Hilko Bengen wrote: Control: tags -1 moreinfo * Salvatore Bonaccorso: Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

Hi Hilko, On Fri, Jun 12, 2015 at 01:30:28PM +0200, Hilko Bengen wrote: Control: tags -1 moreinfo * Salvatore Bonaccorso: Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Where exactly has it been fixed upstream? A git coommit id

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for elasticsearch. Unfortunately the available information is a bit sparse, thus filling with initial severity grave. CVE-2015-4165[0]: unspecified

Bug#780897: batik: CVE-2015-0250

Hi Tony, On Sat, Mar 21, 2015 at 04:31:38PM -0700, tony mancill wrote: On 03/21/2015 12:07 AM, Salvatore Bonaccorso wrote: Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0

Bug#780897: batik: CVE-2015-0250

Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0]: information disclosure If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your

Bug#780383: libopensaml2-java: CVE-2015-1796

Source: libopensaml2-java Version: 2.6.2-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libopensaml2-java. Note that I don't know libopensaml2-java well enough, so could you assess if this affeccts Debian as well, and if the severity is

Bug#780383: libopensaml2-java: CVE-2015-1796

Hi Emmanuel, Thanks for the quick feedback. On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote: Hi Salvatore, Thank you for the report. Looking at the commit r1680 mentioned on the security tracker I fail to see how it addresses the vulnerability described. I suspect this is

Bug#777079: jython: CVE-2013-2027

Source: jython Version: 2.5.2-1 Severity: important Tags: security upstream Hi Several issues were mentioned in Red Hat Bugzilla at [0] referencing the issue which creates executables class files with wrong permissions with CVE-2013-2027. At least it seems present in the Debian package that the

Bug#770544: resteasy: CVE-2014-7839: External entities expanded by DocumentProvider

Source: resteasy Version: 3.0.6-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for resteasy. I have choosen severity grave due to what is described in Red Hat's bugzilla about the issue, but I don't know jboss/resteasy/... well enough, so feel free to

Bug#767541: jenkins: CVE-2014-3665

Source: jenkins Severity: important Tags: security upstream Hi, See [1] and [2] for details on CVE-2014-3665. [1] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30 [2] https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control Regards,

Bug#753470: libspring-java: CVE-2014-0225

Hi Tony, On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote: On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff j...@inutil.org wrote: Package: libspring-java Severity: grave Tags: security Justification: user security hole Hi, please see

Bug#759736: elasticsearch: CVE-2014-3120

Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic |

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Hi Emanuel, On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: Hi Henri, Thank you for the report. Is there an example available somewhere of a subject improperly parsed by commons-httpclient/3.1-10.2? This would help backporting the fix to this version. I think this is

Bug#742577: libxalan2-java: CVE-2014-0107: Xalan-Java insufficient secure processing

Source: libxalan2-java Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libxalan2-java, could you please verify. CVE-2014-0107[0]: Xalan-Java insufficient secure processing If you fix the vulnerability please also make sure to include the

Bug#739067: jenkins: multiple security vulnerabilities

Hi, On Sun, Feb 16, 2014 at 01:45:49AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.509.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory. In this advisory, some vulnerabilities are rated high severity.

Bug#734821: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

Package: libxstream-java Severity: grave Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2013-7285[0]: remote code execution via deserialization in XStream See also [1] for the original report. [3] contains an initial patch which was commited. If

Re: Problems when building binary package of libcommons-fileupload-java under wheezy

Hi Emmanuel, hi Debian Java Maintainers, On Sat, Dec 21, 2013 at 09:30:49PM +0100, Emmanuel Bourg wrote: Le 21/12/2013 19:24, Salvatore Bonaccorso a écrit : Thanks, this indeed seems to make it better. I have uploade the resulting preliminary packages to [1]. If you have time in the coming

Problems when building binary package of libcommons-fileupload-java under wheezy

to Marc Deslauriers marc.deslauri...@ubuntu.com (Closes: #726601) + + -- Salvatore Bonaccorso car...@debian.org Sat, 21 Dec 2013 11:12:53 +0100 + libcommons-fileupload-java (1.2.2-1) unstable; urgency=low * New upstream release. diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013

Re: Problems when building binary package of libcommons-fileupload-java under wheezy

Hi Emmanuel, On Sat, Dec 21, 2013 at 05:58:33PM +0100, Emmanuel Bourg wrote: Le 21/12/2013 16:02, Salvatore Bonaccorso a écrit : Any idea what is happening? Hi Salvatore, I can't check in detail now, but the --java-lib flag is probably missing from the debian/libcommons-fileupload

Bug#720375: libxml-security-java: CVE-2013-2172

Package: libxml-security-java Severity: grave Tags: security patch upstream fixed-upstream Hi, the following vulnerability was published for libxml-security-java. CVE-2013-2172[0]: Java XML Signature spoofing attack If you fix the vulnerability please also make sure to include the CVE (Common

Bug#697617: jenkins: remote code execution vulnerability

Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See:

Bug#700761: jenkins: multiple security vulnerabilities

Hi The following CVE's where assigned now to it[1]. Could you please include the CVE identifiers when fixing the package. [1]: http://marc.info/?l=oss-securitym=136142857313675w=2 CVE-2013-0327 CVE-2013-0328 CVE-2013-0329 CVE-2013-0330 CVE-2013-0331

  1   2   >