Package: tomcat6
Severity: grave
Tags: security
(Also applies to Tomcat 5.5 and Tomcat 6)
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204
This doesn't warrant a DSA, but could be fixed through a point
update.
Cheers,
Moritz
-- System Information:
Debian Release:
On Wed, Jul 06, 2011 at 09:49:17PM -0700, tony mancill wrote:
Hello Moritz,
Thank you for filing the bug. I've uploaded an updated tomcat6 package
for unstable and will get the patch applied for the next tomcat7 upload
soon. I'll also look into an upload of 6.0.28 for stable proposed
Package: tomcat7
Severity: grave
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526
http://tomcat.apache.org/security-7.html
The same applies to Tomcat 6 and Tomcat 5.5
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote:
On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote:
What's the result?
Upstream is totally unresponsive about this issue.
I have reviewed changelog of subsequent releases and this doesn't
seem to be fixed.
On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote:
Hi Philipp,
Am 19.10.2011 16:33, schrieb Philipp Kern:
Or it's the removal of the package.
we should remove sun-java5 from oldstable, too, if we are going to
remove sun-java6 from (old)stable. But I do not have a strong
severity 582146 important
thanks
On Tue, May 18, 2010 at 07:06:31PM +0200, Thiemo Nagel wrote:
Package: sun-java6-bin
Version: 6.20-dlj-1
Severity: grave
File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so
Tags: security
Justification: user security hole
Reporting of system
Package: tomcat6
Severity: important
Tags: security
Dear Tomcat maintainers,
AFAICS CVE-2010-1157 is still unfixed in sid:
http://tomcat.apache.org/security-6.html
We don't need to update Lenny, since the security impact
is marginal. If you want to have it fixed in stable, you
can still fix it
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Please see
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Important: Remote Denial Of Service and Information Disclosure
Vulnerability CVE-2010-2227
Several flaws in the handling of the
On Thu, Jun 03, 2010 at 01:36:37PM -0400, Pablo Duboue wrote:
At debian-java we're pretty happy with the exception and we didn't
feel the need to run it through -legal. I haven't had time to make an
upload with the exception documented in the debian/ folder so the bug
it is still open (but the
Package: sun-java6
Severity: grave
Tags: security
Justification: user security hole
Oracle has fixed several Java security issues, which
also need to be fixed in sid:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
Cheers,
Moritz
-- System Information:
Package: tomcat6
Severity: grave
Tags: security
Please see http://tomcat.apache.org/security-6.html.
Please upload an isolated fix with urgency=medium and ask RMs for
an unblock.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy:
On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote:
FYI, we applied patches for that Apache upstream SVN revision as part of
CVE-2010-4172. I reviewed the patch posted here [0], and we already
have all of it except for this bit.
CVE-2010-4172 is fully fixed. MITRE later on assigned
Package: mojarra
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087
Please get in touch with upstream, whether this has been addressed.
Cheers,
Moritz
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500,
Package: glassfish
Severity: grave
Tags: security
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
Please get in touch with Oracle to check, what unspecified
vulnerability they fixed...
Cheers,
Moritz
-- System Information:
Debian Release: 6.0
APT prefers testing
Package: eclipse
Severity: important
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271
Red Hat has a good description and links to patches:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4647
This doesn't
Package: tomcat6
Version: Three Tomcat vulnerabilities
Severity: grave
Tags: security
CVE-2011-0534, CVE-2011-0013 and CVE-2010-3718 need to be
fixed in squeeze-security and unstable:
http://tomcat.apache.org/security-6.html
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.1
Package: jbossas4
Severity: grave
Tags: security
The following security issues have been reported against jbossas4:
CVE-2010-0738:
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise
Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09
and 4.3 before 4.3.0.CP08
On Mon, Jan 02, 2012 at 09:56:20AM +0100, Torsten Werner wrote:
Hi,
On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst th...@debian.org wrote:
It was reported that Glassfish is affected by the predictable hash
collisions
attack that made its rounds around the net this week. This is
Dear Java maintainers,
currently there's Tomcat 6 and Tomcat 7 in Wheezy. Will 6 be dropped
before the Wheezy relese? It would be good to only have one version
in Wheezy.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Source: activemq
Severity: grave
Tags: security
This is CVE-2011-4605
Please see here for details and patches:
http://openwall.com/lists/oss-security/2011/12/25/2
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Source: libapache-mod-jk
Severity: important
Please enabled hardened build flags through dpkg-buildflags.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
Package: libstruts1.2-java
Severity: grave
Tags: security
Hi,
several vulnerabilities have been reported against Struts:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
Package: akuma
Version: 1.7-1
Severity: serious
akuma fails to build from source:
dh_installpam -plibakuma-java
dh_installlogrotate -plibakuma-java
dh_installlogcheck -plibakuma-java
dh_installchangelogs -plibakuma-java
dh_installudev -plibakuma-java
dh_lintian -plibakuma-java
dh_bugfiles
Package: ehcache
Version: 2.1.0-1
Severity: serious
debian/rules build
test -x debian/rules
mkdir -p .
cd . /usr/lib/jvm/default-java//bin/java -classpath
Package: jenkins-crypto-util
Version: 1.1-1
Severity: serious
Your package fails to build from source:
[INFO] Compiling 2 source files to
/home/jmm/jenkins-crypto-util-1.1/target/classes
[INFO] [resources:testResources {execution: default-testResources}]
[WARNING] Using platform encoding
Package: jbossas4
Version: 4.2.3.GA-6
Severity: serious
Your package fails to build from source:
[mkdir] Created dir: /home/jmm/jbossas4-4.2.3.GA/ejb3/classes
[javac] /home/jmm/jbossas4-4.2.3.GA/debian/build.xml:340: warning:
'includeantruntime' was not set, defaulting to
Package: jcaptcha
Version: 2.0~alpha1-2
Severity: serious
Your package fails to build from source:
dh_installlogrotate -plibjcaptcha-java
dh_installlogcheck -plibjcaptcha-java
dh_installchangelogs -plibjcaptcha-java
dh_installudev -plibjcaptcha-java
dh_lintian -plibjcaptcha-java
Package: junit4
Version: 4.8.2-2
Severity: serious
Your package fails to build from source:
compile:
[mkdir] Created dir: /home/jmm/junit4-4.8.2/build/generated-sources
[javac] /usr/share/maven-ant-helper/maven-build.xml:337: warning:
'includeantruntime' was not set, defaulting to
Package: jmock2
Version: 2.5.1+dfsg-1
Severity: serious
Your package fails to build from source:
compile:
[mkdir] Created dir: /home/jmm/jmock2-2.5.1+dfsg/build/classes
[javac] /home/jmm/jmock2-2.5.1+dfsg/build.xml:61: warning:
'includeantruntime' was not set, defaulting to
Package: libcommons-discovery-java
Version: 0.5-2
Severity: serious
Your package fails to build from source:
[INFO] BUILD SUCCESSFUL
[INFO]
[INFO] Total time: 2 seconds
[INFO] Finished at: Wed Mar 07 12:08:03 CET 2012
Package: stapler
Version: 1.174-1
Severity: serious
Your package fails to build from source:
dh_bugfiles -plibstapler-java
dh_install -plibstapler-java
dh_link -plibstapler-java
dh_buildinfo -plibstapler-java
dh_installmime -plibstapler-java
dh_installgsettings -plibstapler-java
Package: libspring-webflow-2.0-java
Version: 2.0.9.RELEASE-3
Severity: serious
Your package fails to build from source:
jar-spring-js:
[jar] Building jar:
/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/dist/spring-js-2.0.9.RELEASE.jar
compile-spring-webflow:
[javac] Compiling 311
Package: objenesis
Version: 1.2+full-1
Severity: serious
I'm filing this against objenesis, since this appears to be where the error
is coming from. mockito builds fine if I use the pre-built deb from the
archive. However, when recompiling objenesis in sid and installing the
resulting binaries,
Package: jtidy
Version: 7+svn20110807-3
Severity: serious
This is a similar bug to 667000 and 667011:
Rebuilding jtidy in sid makes lucene2 fail to build from source:
[..]
common.compile-core:
[mkdir] Created dir:
Package: commons-beanutils
Version: 1.8.3-2
Severity: serious
Tags: patch
Similar story to 667000, 667011 and 667016 (caused by new Maven helper):
Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS.
Patch attached.
Cheers,
Moritz
UCS Bug #26186
diff -aur
There was another report for a Struts security issue:
CVE-2012-1592:
http://seclists.org/bugtraq/2012/Mar/110
Can you please contact upstream, whether this needs to be fixed in
our Struts 1.2?
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: libspring-security-2.0-java
Severity: grave
Tags: security
Please see
http://www.securityfocus.com/archive/1/519593/30/0/threaded
http://www.springsource.com/security/cve-2011-2731
http://www.springsource.com/security/cve-2011-2732
http://www.springsource.com/security/cve-2011-2894
On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote:
gcjwebplugin is a Java plugin for web browsers. It does not include the
security manager which is a crucial part of the sandboxing of Java
applets. The maintainers have fixed this bug (#267040) merely by
adding a warning prompt
Package: jetty
Severity: serious
When browsing through open security issues in Lenny I noticed that several
Jetty security fixes have been unfixed for quite some time (#454529),
although upstream has posted a patch in July.
Since it's only in contrib, outdated (current upstream releases are 6
Moritz Muehlenhoff wrote:
On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote:
gcjwebplugin is a Java plugin for web browsers. It does not include the
security manager which is a crucial part of the sandboxing of Java
applets. The maintainers have fixed this bug (#267040) merely
On Tue, Oct 28, 2008 at 09:26:28AM +0100, Matthias Klose wrote:
Package: libcobra-java
Version: 0.98.2-1
Severity: serious
User: [EMAIL PROTECTED]
Usertags: jbc-mismatch
Note: this report may be a false positive, if all bytecode files have
version 49 or less.
I've tested cobra-0.98.2.jar
On Tue, Oct 28, 2008 at 09:26:31AM +0100, Matthias Klose wrote:
Package: libhamcrest-java
Version: 1.1-1
Severity: serious
User: [EMAIL PROTECTED]
Usertags: jbc-mismatch
Note: this report may be a false positive, if all bytecode files have
version 49 or less.
I've checked the included
Package: libcommons-compress-java
Version: 1.2-1
Severity: grave
Tags: security
Please see https://commons.apache.org/compress/security.html
Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
it through a point update for Squeeze 6.0.6.
Cheers,
Moritz
__
This is the
Package: mojarra
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2672
I'm not sure if Debian is affected, please verify.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: jruby
Severity: grave
Tags: security
Justification: user security hole
Hi,
jruby in Wheezy is still affected by
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote:
On 09/20/2012 07:05 AM, Hideki Yamane wrote:
It's my mistake that using static version for symlink... sorry for the
mess.
And a bit confusion for versioning, so prepared fix as below.
If it seems to be okay, I'll upload to
Package: jenkins
Severity: grave
Tags: security
Justification: user security hole
Please see
http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE IDs have been assigned:
http://seclists.org/oss-sec/2012/q3/521
Remember Debian is frozen, so please upload only
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
Please see http://tomcat.apache.org/security-6.html
Since Wheezy is frozen, please apply isolated security fixes and do not update
to a new upstream release.
BTW, is it really necessary to have both tomcat6 and
Package: tomcat7
Severity: grave
Tags: security
Justification: user security hole
Please see http://tomcat.apache.org/security-7.html
Since Wheezy is frozen, please apply isolated security fixes instead
of updating to a new upstream release.
Cheers,
Moritz
__
This is the maintainer
Package: commons-httpclient
Severity: important
Tags: security
Please see Section 7.5 of this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
This has been assigned CVE-2012-5783. I'm not sure if we can backport more
correct certificate validation to 3.x, but independent of that it might
Package: axis
Severity: grave
Tags: security
Justification: user security hole
CVE-2012-5784 has been assigned to Axis being affected by the issues
described in this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
(See Section 8.1)
Cheers,
Moritz
__
This is the maintainer address
Package: jruby
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see the Red Hat bug for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
More Tomcat security issues have been disclosed:
http://tomcat.apache.org/security-6.html
The page contains links to the upstream fixes.
BTW, is there a specific reason why both tomcat6 and tomcat7 are present in
Package: tomcat7
Severity: grave
Tags: security
Justification: user security hole
New security issues in Tomcat have been disclosed:
http://tomcat.apache.org/security-7.html
The page contains links to upstream fixes.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java
On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote:
On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole
More Tomcat security issues have been disclosed:
http://tomcat.apache.org/security-6
Package: tomcat7
Severity: important
Tags: security
Three security issues were reported in tomcat today:
http://tomcat.apache.org/security-7.html
CVE-2013-2067 and CVE-2012-3544 were made public today, but already fixed in
past
releases. Hence, in comparison to stable/oldstable sid is already
Package: eclipse-platform
Version: 3.1.1-3
Severity: normal
I can't install new extensions (features), I always get the error message
Error creating feature
file://usr/lib/eclipse/features/org.eclipse.platform \
.source_3.1.1
Stephan Michels wrote:
On 10/30/05, Moritz Muehlenhoff [EMAIL PROTECTED] wrote:
Package: eclipse-platform
Version: 3.1.1-3
Severity: normal
I can't install new extensions (features), I always get the error message
Error creating feature
file://usr/lib/eclipse/features
Package: libstruts1.2-java
Severity: grave
Tags: security
Justification: user security hole
A Cross-Site-Scriping vulnerability has been found in the request handler
for generating error messages. Please see
http://www.securityfocus.com/archive/1/archive/1/417296/30/0/threaded for
more details.
Package: jetty
Version: 5.1.5rc1-6
Severity: grave
Tags: security
Justification: user security hole
An input validation error when processing HTTP requests containing specially
crafted characters can be exploited to display the source code of Java
Server pages instead of an expected HTML
Package: openjpa
Severity: grave
Tags: security
Justification: user security hole
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: libjgroups-java
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4112
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152 for
details.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: jsymphonic
Severity: normal
User: pkg-multimedia-maintain...@lists.alioth.debian.org
Usertags: ffmpeg-removal
The ffmpeg binary package is no longer provided from libav.
Please port your package to the avconv tools from libav-tools.
Cheers,
Moritz
-- System Information:
Debian
Package: libcommons-fileupload-java
Severity: grave
Tags: security
Justification: user security hole
Red Hat fixed a security issue Commons FileUpload:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: jenkins
Severity: grave
Tags: security
Justification: user security hole
Please see
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
for
references and patches.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: lucene-solr
Severity: grave
Tags: security
Justification: user security hole
CVE-2013-6397:
https://issues.apache.org/jira/browse/SOLR-4882
CVE-2013-6407:
https://issues.apache.org/jira/browse/SOLR-3895
CVE-2013-6408:
https://issues.apache.org/jira/browse/SOLR-4881
Cheers,
On Mon, Dec 02, 2013 at 09:56:04AM +0100, Moritz Muehlenhoff wrote:
CVE-2013-6407:
https://issues.apache.org/jira/browse/SOLR-3895
An additional CVE ID has been assigned to this issue: CVE-2012-6612
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
http
Package: jenkins
Severity: important
Tags: security
Please see http://seclists.org/fulldisclosure/2013/Dec/159
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
debian-j...@lists.debian.org for
Package: libxml-security-java
Severity: grave
Tags: security
Justification: user security hole
Please see http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc
Please prepare updated oldstable-security/stable-securitypackages for this issue
and CVE-2013-2172 (as fixed in 1.5.5-2) and
Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole
Please see
http://www.gopivotal.com/security/cve-2013-6429
http://www.gopivotal.com/security/cve-2013-6430
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: freehep-graphicsio-svg
Version: 2.1.1-3
Severity: serious
I ran into the following bug with stable, but the version is the same as in
unstable:
If I compile geogebra with the binary deb package as shipped in stable it
compiles fine.
However, if I rebuild freehep-graphicsio-svg in
On Thu, Jan 23, 2014 at 04:13:19PM +0100, Moritz Muehlenhoff wrote:
Package: freehep-graphicsio-svg
Version: 2.1.1-3
Severity: serious
I ran into the following bug with stable, but the version is the same as in
unstable:
If I compile geogebra with the binary deb package as shipped
On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote:
In didn't some digging in the reverse deps and found the following bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043
In fact, adding that patch to the version of maven-debian-helper in Wheezy
and rebuilding
On Tue, Jan 28, 2014 at 07:45:41AM +0100, Moritz Muehlenhoff wrote:
On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote:
In didn't some digging in the reverse deps and found the following bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043
In fact, adding
Package: mojarra
Severity: grave
Tags: security
Justification: user security hole
Hi,
this was assigned CVE-2013-5855:
https://java.net/jira/browse/JAVASERVERFACES-3150
Fix:
https://java.net/projects/mojarra/sources/svn/revision/12793
Cheers,
Moritz
__
This is the maintainer address of
Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole
http://www.gopivotal.com/security/cve-2014-0054
http://www.gopivotal.com/security/cve-2014-1904
I'm not sure whether these are worth a DSA?
Cheers,
Moritz
__
This is the maintainer address of
Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://www.gopivotal.com/security/cve-2014-0225
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: libstruts1.2-java
Severity: serious
Struts 1.x is EOLed upstream, it should not be included in jessie:
http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E
Cheers,
Moritz
__
This is the maintainer address of Debian's Java
Package: libopensaml2-java
Severity: grave
Tags: security
Justification: user security hole
Please see http://shibboleth.net/community/advisories/secadv_20140813.txt
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: not-yet-commons-ssl
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2014-3604:
http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html
Cheers,
Moritz
__
This is the maintainer address of Debian's
On Tue, Sep 16, 2014 at 12:12:03AM +0200, Emmanuel Bourg wrote:
Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit :
Then it should be easy to remove?
Actually it's easier to keep it, since a removal induces more work to
update the reverse dependencies.
Well, but if we keep old,
Source: libvt-ldap-java
Severity: grave
Tags: security
This has been assigned CVE-2014-3607:
https://code.google.com/p/vt-middleware/issues/detail?id=226
http://shibboleth.net/community/advisories/secadv_20140919.txt
Cheers,
Moritz
__
This is the maintainer address of Debian's Java
On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote:
I've been investigating this issue as well. I contacted an upstream
developer and it seems the actual fix for this issue is unknown. The
version 3.2.0 was just reported as not vulnerable by the security
researched who discovered
Package: async-http-client
Severity: important
Tags: security
Hi,
please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
https://github.com/AsyncHttpClient/async-http-client/issues/352
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote:
Hi Moritz,
Thank you for the report
Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit :
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
https://github.com/AsyncHttpClient/async-http-client/issues/352
https
Source: jgit
Severity: important
Tags: security
jgit is also affected by the recent git vulnerability:
http://openwall.com/lists/oss-security/2014/12/18/21
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: activemq
Severity: important
Tags: security
Hi,
please see
http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt
(but the admin console isn't enabled, so this should be moot? (702670))
On Fri, Feb 06, 2015 at 01:56:35PM +0100, Emmanuel Bourg wrote:
For CVE-2014-3600:
https://github.com/apache/activemq/commit/b9696ac8
https://issues.apache.org/jira/browse/AMQ-5333
Could you please upload a fixed package for CVE-2014-3612 and
CVE-2014-3600?
Cheers,
Moritz
__
This is
Package: libapache-poi-java
Severity: important
Tags: security
Justification: user security hole
This was assigned CVE-2014-9527:
https://issues.apache.org/bugzilla/show_bug.cgi?id=57272
Could you please make a targeted fix for jessie?
Cheers,
Moritz
__
This is the maintainer address
Package: wss4j
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0227
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097
Cheers,
Moritz
Package: jenkins
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23:
SECURITY-171 is CVE-2015-1812
SECURITY-177 is CVE-2015-1813
SECURITY-180 is CVE-2015-1814
and
On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote:
On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
Hi,
On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
Is there an example available
Package: jakarta-taglibs-standard
Severity: important
Tags: security
Please see
http://www.securityfocus.com/archive/1/534772
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
severity 762690 important
thx
On Sun, Nov 02, 2014 at 11:38:30PM +0100, Emmanuel Bourg wrote:
libhibernate-validator-java is only used as a build dependency of
libhibernate3-java. No package depends on it at runtime, so the risk of
being affected by this vulnerability is rather low, if not
Source: jackrabbit
Severity: grave
Tags: security
Hi,
please see https://issues.apache.org/jira/browse/JCR-3883
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
Source: libspring-java
Severity: important
Tags: security
Please see https://pivotal.io/security/cve-2015-3192
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote:
On 05/06/2015 10:54 PM, tony mancill wrote:
An update on this... I'm in the midst of packaging 2.6.5, but it in
turn requires an update to libxmltooling-java to version 1.4.4, which I
am working on now.
In an email exchange
Package: groovy
Severity: serious
A separate source package groovy2 was uploaded, so reverse dependencies
need to be migrated to that one and groovy removed.
Cheers,
Moritz
__
This is the maintainer address of Debian's Java team
1 - 100 of 135 matches
Mail list logo
