Bug#815137: Release 56.1 Is Available

[殷啟聰]

Source: icu4j
Version: 4.2.1.1-3
Severity: wishlist

The Android Frameworks for developing Android applications depends on
icu4j-56, please update this source package to at least 56. Better to
avoid creating another libicu4j-56-java :(

Would be better if it is migrated to Git.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of maven-debian-helper_2.0.5_amd64.changes

[Debian FTP Masters]

maven-debian-helper_2.0.5_amd64.changes uploaded successfully to localhost
along with the files:
  maven-debian-helper_2.0.5.dsc
  maven-debian-helper_2.0.5.tar.xz
  maven-debian-helper_2.0.5_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

maven-debian-helper_2.0.5_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 19 Feb 2016 12:07:43 +0100
Source: maven-debian-helper
Binary: maven-debian-helper
Architecture: source all
Version: 2.0.5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Description:
 maven-debian-helper - Helper tools for building Debian packages with Maven
Changes:
 maven-debian-helper (2.0.5) unstable; urgency=medium
 .
   * Team upload.
   * Standards-Version updated to 3.9.7 (no changes)
   * The generated control file now specifies Standards-Version: 3.9.7
   * Use a secure Vcs-Git URL in the generated control file
   * Updated debian/copyright
Checksums-Sha1:
 fd55c9a336da72b24fcc9a71912b12e48c6403f3 2145 maven-debian-helper_2.0.5.dsc
 862a0a95fc6b0cf817cc0d35eaef82096ca20fe7 86200 maven-debian-helper_2.0.5.tar.xz
 25988b6597cdda701041c00a97404fbcd7984934 117326 
maven-debian-helper_2.0.5_all.deb
Checksums-Sha256:
 513c20a24bb247e85a76ef5207e349e619ff6146ad2726e3ed61123cba6eaa3a 2145 
maven-debian-helper_2.0.5.dsc
 850d4200e1d6e2a4c931197e113d8e9531ba3618201cafe17d81f8dfe6c0714a 86200 
maven-debian-helper_2.0.5.tar.xz
 886ebaf6da80e8e40090a5f5643c11df41ca650dfbd4bbe76b1820c83e6ca6ca 117326 
maven-debian-helper_2.0.5_all.deb
Files:
 cfabc552d753bfcbe566cb34f293bdc3 2145 java optional 
maven-debian-helper_2.0.5.dsc
 0effb68af846ee429977471dcfd12e8f 86200 java optional 
maven-debian-helper_2.0.5.tar.xz
 03e975dddee5e32d286f26960a785adb 117326 java optional 
maven-debian-helper_2.0.5_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWxvf7AAoJEPUTxBnkudCsO4QP/j54CAq5qDPez4iBQ0iGcj/g
SLwug2rRFwC9v9PENzTwnahPhigY/HqX7JVhxh2vDd7EDHVL8UKMCq747bltFT7L
zWRFj4vpu+zd3Q1/HuvlFSNywsjZQbgQ9Ejh7VrGRn3misT3CLZoFVl4uUOtts6M
SSUb8JGy9TYlHBbKoAJw/ujiEuc/doWJ58wUxo84YmWj7/P4yp7eJnaclFPUYyJh
dCduvCjroxH7o3EqYRAhSxEAe3rjKtczXmKMvDPtMYzxfnkL7/WnIASK4BnkhMgD
BeAXbOCdwi8wIBLg9CsR+G0/W6sMdhy9UQnHONWwhn2ojImRgtp3gl14P2rskZ2P
58TDoNCYL8d/lkPaXgE/Hu1KTymTcxC2Div41tWvZ6Cs0EkjhO9lymlJb3kYQeXt
vIEIFZJxS9FSQAR6ugyPOzl1MGeAVnCT0eR/A270vUyveoAJXOEd2fuFAk2viG1O
YbjJu4QYtoNncqGGFtoxl55x6Qr/KIJe1ClgpzgV+TM02iA+NzJfuo8F7ha7hVMv
3qpd8GoFqi/U6egxyToyy6x0xAbqDF9izDphzdfoUmH8LyYNlgT0PVJTmi4M6zDO
dmEu8H4QHyX6sYdP2c6xiadE05hQPRI8whNmrBkmnz1Wmqp0xxLYu0sBDeuPrUvq
JICdXcDxBRrcF6/lemW/
=id9r
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#700610: Fwd: bsh (BeanShell) security vulnerability (CVE-2016-2510)

[Stian Soiland-Reyes]

-- Forwarded message --
From: Stian Soiland-Reyes 
Date: 19 February 2016 at 12:10
Subject: bsh (BeanShell) security vulnerability (CVE-2016-2510)
To: t...@security.debian.org, debian-j...@lists.debian.org


Hi,

BeanShell aka bsh has released a security fix 2.0b6:

https://github.com/beanshell/beanshell/releases/tag/2.0b6

It has been reported to MITRE as CVE-2016-2510.


This might be a good time to address
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700610

and update sid to use the new upstream home of
https://github.com/beanshell/beanshell
(transitioned from apache-extras)


Note that since 2.0b5 the license has changed to Apache License.

2.0b5 should be functionally equivalent to 2.0b4 except the license change.


If you want to backport only the security fix for 2.0b4 jessie, see
https://github.com/beanshell/beanshell/commits/2.0b6

specifically these two commits:

https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49

https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced


--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/-0001-9842-9718


-- 
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/-0001-9842-9718

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)

[Emmanuel Bourg]

Hi Stian,

Thank you for the notice. Technically this isn't a vulnerability in bsh
though, the issue is any application deserializing untrusted data
without sanitizing it and having bsh on the classpath. I'm not aware of
such applications in Debian, but if there is one it should be fixed in
priority instead of playing whac-a-mole with the serialization code in
the 800+ Java libraries in Debian.

Regarding your fork on GitHub, did you get the authorization from the
original author (Patrick Niemeyer) to change the license from LGPL-2 to
Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
org.apache-extras.beanshell?

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of plexus-bsh-factory_1.0~alpha7-3.1_amd64.changes

[Debian FTP Masters]

plexus-bsh-factory_1.0~alpha7-3.1_amd64.changes uploaded successfully to 
localhost
along with the files:
  plexus-bsh-factory_1.0~alpha7-3.1.dsc
  plexus-bsh-factory_1.0~alpha7-3.1.debian.tar.xz
  libplexus-bsh-factory-java_1.0~alpha7-3.1_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)

[Stian Soiland-Reyes]

 Hi, thanks. I agree that this is a general Java issue in any
application using serialization - the vulnerability attack vector
would just move to less common libraries (we point this out in the
release notes).
Also I must admit for me it was a bit confuising at first to learn
about how a scripting language could be used to run arbitrary code -
well that's the point! :-)  However the issue could arrise just by
having
bsh.jar on the classpath and doing any other kind of deserialization
from files or the network.


Patrick Niemeyer (CC) did the license change as part of the code
donation to ASF:
https://github.com/beanshell/beanshell/commit/8bac4930744cc62134125263b3e61ef04e296c80

Pat is also part of the https://github.com/beanshell team.

I've added a brief History section to
https://github.com/beanshell/beanshell#history - perhaps Pat want to
review that :)



We changed the groupId for 2.0b5 as it was unclear at the time what
was the relationship with beanshell.org, and also beanshell.org also
had an existing 2.0b5 release under LGPL.

Since Google Code shut down http://apache-extras.org/ as a domain name
has become a bit meaningless, so now org.apache-extras.beanshell is
not a good groupId.

We could probably change the groupId back to org.beanshell and as a
GitHub project take over management of the http://beanshell.org/
website - but there's a bit of legacy to maintain there (e.g. older
releases and Beanshell 1) - so that's up to Pat to decide - perhaps
just a banner pointing to the GitHub page would be enough?

I've added https://github.com/beanshell/beanshell/issues/17 to discuss this.

There is also the fork https://github.com/pejobo/beanshell2 - but
pejobo has also joined https://github.com/beanshell so hopefully his
patches there would move across. (They have to be recontributed by the
original authors as beanshell2 was LGPL)

On 19 February 2016 at 13:32, Emmanuel Bourg  wrote:
> Hi Stian,
>
> Thank you for the notice. Technically this isn't a vulnerability in bsh
> though, the issue is any application deserializing untrusted data
> without sanitizing it and having bsh on the classpath. I'm not aware of
> such applications in Debian, but if there is one it should be fixed in
> priority instead of playing whac-a-mole with the serialization code in
> the 800+ Java libraries in Debian.
>
> Regarding your fork on GitHub, did you get the authorization from the
> original author (Patrick Niemeyer) to change the license from LGPL-2 to
> Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
> org.apache-extras.beanshell?
>
> Emmanuel Bourg
>
> --
> To unsubscribe, send mail to 700610-unsubscr...@bugs.debian.org.



-- 
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/-0001-9842-9718

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

plexus-bsh-factory_1.0~alpha7-3.1_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 19 Feb 2016 16:57:41 +0100
Source: plexus-bsh-factory
Binary: libplexus-bsh-factory-java
Architecture: source all
Version: 1.0~alpha7-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Description:
 libplexus-bsh-factory-java - Plexus Beanshell Factory
Changes:
 plexus-bsh-factory (1.0~alpha7-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Build with maven-debian-helper
   * Depend on libbsh-java instead of bsh
   * Moved the package to Git
   * Standards-Version updated to 3.9.7 (no changes)
   * Switch to debhelper level 9
   * Converted debian/copyright to the Copyright Format 1.0
Checksums-Sha1:
 967beb6213ebd1bf67ac0731e5705a8399f2026b 2212 
plexus-bsh-factory_1.0~alpha7-3.1.dsc
 c5103da72a7b238abdff234636e1562af9b23947 2456 
plexus-bsh-factory_1.0~alpha7-3.1.debian.tar.xz
 dc06351136fa26779797d886f0444aa3f37f05fc 7658 
libplexus-bsh-factory-java_1.0~alpha7-3.1_all.deb
Checksums-Sha256:
 9fd1638bd1f5084493ae89ffae3be142214c5fcda8bc3202d046cd858a17cc14 2212 
plexus-bsh-factory_1.0~alpha7-3.1.dsc
 a00bfcd6d6335a1ad4472fb1469b2e22922085d380b68ee465f38789cceb1c5a 2456 
plexus-bsh-factory_1.0~alpha7-3.1.debian.tar.xz
 14ee8c644756007f85e63743ee7e0a4e806154c5c6edac29bada2ff1b84f90f1 7658 
libplexus-bsh-factory-java_1.0~alpha7-3.1_all.deb
Files:
 02ec18c81a3054abfeedeb166f46146a 2212 java optional 
plexus-bsh-factory_1.0~alpha7-3.1.dsc
 1f5ecb75b3fd827d7db674c5dee21a24 2456 java optional 
plexus-bsh-factory_1.0~alpha7-3.1.debian.tar.xz
 64be25b3b66a83b085f334505f284616 7658 java optional 
libplexus-bsh-factory-java_1.0~alpha7-3.1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWxz0BAAoJEPUTxBnkudCsVEkP/j1/DLv8qJib1HvGnZnhHQBW
9QgUPziO7ZogYnDaAfPo3nxV8vk64er8r34lowzSohfU8Cns0n5gWRiN6fRgSFuO
B54OfwXEIRh0TzufGGfEFlntlVqKJkrlzEs0bR5hNora9h4FHVzKMZ3/eyNILVui
wNxweft1ocY+uYcwM0XMah1tAky9uxhLF49mtqwEwwQH0Us3H0RXBuLdVLTwxeXd
PMR4VKp+abK7bCZ5L2eMAb50GTQDtjImSWJkTuXGGTGhzlYS5UjOJ8ScP7/BtEuC
dlTvQThVc6PXbKp/sEZapWyA6578OFXYtKIkB1RmOJJePj0TW6Unzc0ysWBGR+pk
9a4xFFfdjxuPmrYQ/pr/TPTwkB5+ofNMMkwFbk1PPf9smXwKwjaVc0hqC62to8HC
vwVtfl1gAEqQt+6Qv0uPUHHvlEa13GOJtm/Ah5lzRkvWv7Bs9dX+mF3wkZ2Uzq+a
6NXbnd5uYp2dzpYgzgT2xQpzMUh3KES5bKPIaVOK/cglk0p6o9/cwK1NO3td14xD
JSb3K/1vDAeK7cn1HkZ/WnJyIV4FAsLFTLTO2yrUvucrrusskHOlnMicAvtCP+sz
pldJFEVLdyB5qJRs2scQlkYyofexk9QObjaOYujIW3s/DW/cu/icIyD9pmjrpbl7
7gRq2TliacjfVkhgfJbK
=Uz14
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

libglazedlists-java 1.9.0+dfsg-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the libglazedlists-java source package
in Debian's testing distribution has changed.

  Previous version: 1.9.0+dfsg-1
  Current version:  1.9.0+dfsg-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for robocode

[Reproducible builds folks]

2016-02-19 21:07 https://tests.reproducible-builds.org/unstable/amd64/robocode 
changed from reproducible -> FTBFS

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of xmlbeans_2.6.0-4_amd64.changes

[Debian FTP Masters]

xmlbeans_2.6.0-4_amd64.changes uploaded successfully to localhost
along with the files:
  xmlbeans_2.6.0-4.dsc
  xmlbeans_2.6.0-4.debian.tar.xz
  libxmlbeans-java_2.6.0-4_all.deb
  xmlbeans_2.6.0-4_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

xmlbeans_2.6.0-4_amd64.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Sat, 20 Feb 2016 08:49:20 +0200
Source: xmlbeans
Binary: libxmlbeans-java xmlbeans
Architecture: source all
Version: 2.6.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Eugene Zhukov 
Description:
 libxmlbeans-java - Java library for accessing XML by binding it to Java types
 xmlbeans   - Java library for accessing XML by binding it to Java types - tool
Changes:
 xmlbeans (2.6.0-4) unstable; urgency=medium
 .
   * Team upload
   * Add patch to build with Saxon-HE instead of Saxon-B
   * d/control: use https for Vcs-Browser uri
Checksums-Sha1:
 e3f4f07744c6dbb841ea49b7eed0d9989e5537c3 2116 xmlbeans_2.6.0-4.dsc
 dbf2fd42e56d36da82ce76b63956760ecdfe8cb7 7732 xmlbeans_2.6.0-4.debian.tar.xz
 4f8dffb2330a5b65128ba3352f9ffd6b0ed1e3c8 2287434 
libxmlbeans-java_2.6.0-4_all.deb
 66caaa4be422ba545e95791f9e7ecbb7e315db2f 5192 xmlbeans_2.6.0-4_all.deb
Checksums-Sha256:
 bb818fd2ad27c0aeb9fb3044e3f22bfc6ffb5b87fc64d2d241ed99e5094ee38c 2116 
xmlbeans_2.6.0-4.dsc
 b8bce8bb9bf962a14e76b1f2aec359ed8857dd4f9401bef6380633663765e98d 7732 
xmlbeans_2.6.0-4.debian.tar.xz
 85f52d9c47af77db234690585f757a249285f951c464f8dc7271308d55aeb4c5 2287434 
libxmlbeans-java_2.6.0-4_all.deb
 a9c373c7fe76a647a3ffaa40486427bedb220f380e29d2de77ad46d3b25969ae 5192 
xmlbeans_2.6.0-4_all.deb
Files:
 1a10f4d194eec0bb324cb89881b06691 2116 java optional xmlbeans_2.6.0-4.dsc
 975bc4bff33fe9e7be5479766672739a 7732 java optional 
xmlbeans_2.6.0-4.debian.tar.xz
 298c6edcfd8cf6d6b74b24f2ccb264f0 2287434 java optional 
libxmlbeans-java_2.6.0-4_all.deb
 5d317e71f6a4b7c0fdd2fb8f8f82771d 5192 java optional xmlbeans_2.6.0-4_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJWyA4YAAoJENfTQC4BBmMMgHEP/2Wln/VafHF+0NAUavAac5S/
LRBWcusn6httEyZ4UsYK9XnXLFWAg9EIy3ocdawrKv1nfhqfPKLrvrk7Nw5lU62r
gCEWgZr9p0HATFs8qMcZvSb8pc4nIQkdbLshxpAHPxI53yWyqmyy/JyNqitbN5pR
awHxmFFDsnZBizrYV9v8nCUp1G7+g9+ZmRPcg1cEDON4QmPGyWEIQRfIGIHdEqst
ZFO8IEc+OwBNImZ2pJakJjxW2auQ2vHwLk9Jydaf7YCnkrkwd/XzTUBulgbIm4zc
51pXCD0MbxOjQf7bxRKDJNFfF24Woy+7XdPqBjRA5b+EcyueSv2E8AgGs8uRx+3i
mOsneBzTsRtPVw+2WUc5P39qsZBTQ44VA2a7aDVopdKfelTqJoJpJgpU3/qZSFt5
4vEi7jPmOOI9JxYqH+dk2aO5dg0tszah7NIQaBk4LxBa0svg4XM4+6Y5nNHfFzPJ
vRgz6hda0wEyY3qwjs7tsKT4sBjeysDaUsCMpz8pUI3bhNGyo0HxiuvOfaIzOkgD
3NTPI/AqQUJF1slYD6WKEI24z12ch7nK1qGItV4ravoK/MYFPzIDPD79VNcVxLwz
vKdytdG51scWwUVDV/NiPZmY/GO9elOHqrhWVDQc9/UADZE3zMw3ZdZ6LoNdQDcy
xOc/nTYf5quAhfKoIbBE
=Fr4l
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.