ganymed-ssh2 250-3 MIGRATED to testing

[Debian testing watch]

FYI: The status of the ganymed-ssh2 source package
in Debian's testing distribution has changed.

  Previous version: 250-2
  Current version:  250-3

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

[Markus Koschany]

Hi,

Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso:
[...]
> So the patched files exits, and similar code flow is present.
> 
> I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and
> wheezy), just the 4.3.3 based versions in stable and unstable yet.
> 
> What do you miss?

Oh, I was somehow under the impression all versions were the same. The
getAccessible method is not present in Wheezy/Jessie hence my
conclusion. The version in stable/unstable looks to me like we could
apply the patch.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

[Markus Koschany]

Am 08.01.2018 um 13:32 schrieb Abhijith PA:
> Hello. :)
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects
> all 5.x version. But Debian haven't shipped this version yet. And
> upstream patched files doesn't exist in 4.3.3 (version in Debian sid).
> So could you please elaborate on how your research find 4.3.3 affected ?

Hello,

I also had a look at this bug yesterday and I came to the same
conclusion. The upstream patch doesn't work for the 4.x branch. I am not
sure if we are affected at all.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

[Salvatore Bonaccorso]

Hey!

On Mon, Jan 08, 2018 at 06:03:48PM +0100, Markus Koschany wrote:
> Hi,
> 
> Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso:
> [...]
> > So the patched files exits, and similar code flow is present.
> > 
> > I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and
> > wheezy), just the 4.3.3 based versions in stable and unstable yet.
> > 
> > What do you miss?
> 
> Oh, I was somehow under the impression all versions were the same. The
> getAccessible method is not present in Wheezy/Jessie hence my
> conclusion. The version in stable/unstable looks to me like we could
> apply the patch.

Ok, thanks a lot for double checking. Again, I'm not sure how pressing
the issue is, I'm defering a DSA/no-DSA decision to one of my
teammates. Privilege escalation rings some bells obviously.

For older versions than 4.3.3, am I right that then the issue is only
introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not
exposing accessible-made members", which is in 4.3.2.Final~3 or is it
more just uncovered there?

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

tests.reproducible-builds.org/debian status changes for libxbean-java

[Reproducible builds folks]

2018-01-08 23:04 
https://tests.reproducible-builds.org/debian/unstable/amd64/libxbean-java 
changed from FTBFS -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

libj2ssh-java 0.2.9-5 MIGRATED to testing

[Debian testing watch]

FYI: The status of the libj2ssh-java source package
in Debian's testing distribution has changed.

  Previous version: 0.2.9-4
  Current version:  0.2.9-5

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

[Abhijith PA]

Hello. :)

https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects
all 5.x version. But Debian haven't shipped this version yet. And
upstream patched files doesn't exist in 4.3.3 (version in Debian sid).
So could you please elaborate on how your research find 4.3.3 affected ?


--
Abhijith

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

[Salvatore Bonaccorso]

Hi Abhijith, hi Markus
On Mon, Jan 08, 2018 at 04:01:17PM +0100, Markus Koschany wrote:
> Am 08.01.2018 um 13:32 schrieb Abhijith PA:
> > Hello. :)
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects
> > all 5.x version. But Debian haven't shipped this version yet. And
> > upstream patched files doesn't exist in 4.3.3 (version in Debian sid).
> > So could you please elaborate on how your research find 4.3.3 affected ?
> 
> Hello,
> 
> I also had a look at this bug yesterday and I came to the same
> conclusion. The upstream patch doesn't work for the 4.x branch. I am not
> sure if we are affected at all.

First, take my initial post with the note I have written there. I'm
not too familiar with libhibernate-java, and did the following
inspection. The upstream patch is

https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113

which as you noted, is in the 5.x branch. Looking at 4.3.3-3 in
unstable, and the above it touches private Member getAccessible which
is found in
engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java.

This code is found in unstable

engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java

1418 private Member getAccessible(Member original) {
1419 if ( ( (AccessibleObject) original ).isAccessible() ) {
1420 return original;
1421 }
1422
1423 Member member = accessibleMembers.get( original );
1424
1425 if ( member != null ) {
1426 return member;
1427 }
1428
1429 Class clazz = original.getDeclaringClass();

>From my undrstanding, before continuing in 1429, upstream added in the
5.x branch a call to SecurityManager sm =
System.getSecurityManager();, doing the permission check (note that
this has been added newly as file as well in the 5.x branch) and then
continues.

in GetDeclaredField.java, in, GetDeclaredField:

 40 @Override
 41 public Field run() {
 42 try {
 43 final Field field = clazz.getDeclaredField( 
fieldName );
 44 field.setAccessible( true );
 45 return field;
 46 }
 47 catch ( NoSuchFieldException e ) {
 48 return null;
 49 }
 50 }

So the patched files exits, and similar code flow is present.

I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and
wheezy), just the 4.3.3 based versions in stable and unstable yet.

What do you miss?

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.