Bug#837170: CVE-2016-6345 / CVE-2016-6346 / CVE-2016-6347 / CVE-2016-6348

Source: resteasy Severity: important Tags: security Red Hat reported a few vulnerabilities in RestEasy, they don't seem to be fixed in 3.0.19: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6345 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6346 https://bugzilla.redhat.com/show_bug.c

Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)

severity 793770 grave thanks On Mon, Jul 27, 2015 at 11:51:53AM +0200, Luca Bruno wrote: > Source: netty-3.9 > Version: 3.9.0.Final-1 > Severity: important > Tags: security upstream patch > > LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty > that could lead to universal b

Bug#851408: CVE-2016-6814

Source: groovy Severity: grave Tags: security Hi, please see http://seclists.org/oss-sec/2017/q1/92 Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.

Bug#851430: CVE-2016-9571

Source: resteasy Severity: important Tags: security There's not a great of information on this one other then this Red Hat bugtracker entry: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9571 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#853998: CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / CVE-2016-5519

Source: glassfish Severity: grave Tags: security So Oracle has these lovely, unspecified vulnerabilities reported against Glassfish, but it's my understanding that the Debian package only provides a minor subset what usually constitutes Java, so could you have a look, which of http://www.oracle

Bug#819259: Don't include in stretch

Source: tomcat7 Severity: serious stretch should only provide one version of Tomcat. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discuss

Bug#823622: CVE-2015-4901 CVE-2015-4906 CVE-2015-4908 CVE-2015-4916

Source: openjfx Severity: grave Tags: security The four security issues from October's Java CPU are still unfixed, right? http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#823703: CVE-2016-3720

Source: jackson-dataformat-xml Severity: grave Tags: security jackson-dataformat-xml is susceptible to XXE attacks, this was assigned CVE-2016-3720. Fix is here: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 Cheers, Moritz __ This is

Bug#825501: CVE-2016-4434

Source: tika Severity: grave Tags: security Hi, please see http://seclists.org/oss-sec/2016/q2/413 for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use debian-j...@

Bug#826653: CVE-2016-4437

Source: shiro Severity: grave Tags: security The following was reported on oss-security. shiro doesn't seem to have any rdeps in Debian. Cheers, Moritz Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher

Bug#860566: fixed in batik 1.9-1

On Mon, Sep 04, 2017 at 06:19:28AM +, Christopher Hoskin wrote: > Changes: > batik (1.9-1) unstable; urgency=medium [..] >* New upstream (1.9) >+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream > claim > BATIK-1139 is fixed in 1.9 (Closes: #860566) H

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote: > Source: openjfx > Version: 8u131-b11-1 > Severity: grave > Tags: upstream security > > Hi, > > the following vulnerabilities were published for openjfx. > > CVE-2017-10086[0] and CVE-2017-10114[1]. > > Unfortunately it's no

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote: > Hi, > > Quick update on openjfx: the package is back on track, as of version > 8u141-b14-3 I eventually managed to get it to build on both amd64 and > i386 in unstable for the first time since January. If the tests go well > I'll pr

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote: > I ran the Oracle JavaFX demos with the new version and it worked fine > (except the media player but this isn't a regression, something is > probably misconfigured on my machine). > > Should I proceed with the upload, or do you want

Bug#863811: CVE-2017-5637

Source: zookeeper Severity: grave Tags: security Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693 Fix is referenced here: https://github.com/apache/zookeeper/pull/183 I'm also attaching the debdiff I'll be using for jessie for reference. Cheers, Moritz diff -Nru zook

Bug#864405: CVE-2016-2666

Source: undertow Severity: grave Tags: security There's no other reference that what Red Hat published here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666 Upstream needs to be contacted or the patch pulled from their update. Cheers, Moritz __ This is the maintainer address o

Bug#867493: CVE-2016-2141

Package: libjgroups-java Severity: important Tags: security This was assigned CVE-2016-2141: https://issues.jboss.org/browse/JGRP-2021?_sscc=t Cheers, Moritz __ This is the maintainer address of Debian's Java team

Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable->embargoed, oldstable

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils2-java - utilities for the Plexus framework libplexus-utils2-java-doc - utilities for the Plexus framework - documentation Changes: plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb9u1) stretch-security; urgency=medium . * CVE-2017-1000487 Checksums-Sha1

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 Checksums-Sha1

Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils2-java - utilities for the Plexus framework libplexus-utils2-java-doc - utilities for the Plexus framework - documentation Changes: plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487

Bug#888547: CVE-2017-1000190

Source: simple-xml Severity: important Tags: security CVE-2017-1000190 has been assigned to this bug in simple-xml: https://github.com/ngallagher/simplexml/issues/18 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#891796: CVE-2017-18197

Source: libjgraphx-java Severity: normal Tags: security This was assigned CVE-2017-18197: https://github.com/jgraph/mxgraph/issues/124 Cheers, Moritz __ This is the maintainer address of Debian's Java team . P

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into stable->embargoed, stable

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb9u1) stretch-security; urgency=medium . * CVE-2017-1000487 Checksums-Sha1

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable->embargoed, oldstable

Maintainers Changed-By: Moritz Muehlenhoff Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium . * CVE-2017-1000487 Checksums-Sha1

Bug#780383: libopensaml2-java: CVE-2015-1796

On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote: > On 05/06/2015 10:54 PM, tony mancill wrote: > > An update on this... I'm in the midst of packaging 2.6.5, but it in > > turn requires an update to libxmltooling-java to version 1.4.4, which I > > am working on now. > > In an email ex

Bug#792857: CVE-2014-3576

Source: activemq Severity: grave Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3576 is scarce on details, but per the fixed upstream release probably affects oldstable and stable. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#793492: Should this package be removed?

Package: azureus Severity: serious The version of azureus currently in the archive has been uploaded in 2009 and it many upstream releases behind. It has been dropped from testing back in 2013 and the last upload was in 2011. Since there's apparently no current maintenance interest in Vuze/Azureus

Bug#793911: groovy should not release with stretch

Package: groovy Severity: serious A separate source package groovy2 was uploaded, so reverse dependencies need to be migrated to that one and groovy removed. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#796137: CVE-2015-3192

Source: libspring-java Severity: important Tags: security Please see https://pivotal.io/security/cve-2015-3192 Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use debian-j...@li

Re: Bug#793984: jessie-pu: package groovy/1.8.6-4

On Thu, Aug 20, 2015 at 08:26:05AM -0300, Miguel Landaeta wrote: > On Wed, Aug 19, 2015 at 07:05:26PM +0100, Adam D. Barratt wrote: > > > > I just realised that I somehow overlooked the fact that #793397 isn't > > fixed in unstable yet - what's the plan for that? > > I intend to fix this soon but

Bug#799280: Depends on gstreamer 0.10

Source: openjfx Severity: serious Hi, openjfx build-depends on gstreamer 0.10, which scheduled for removal from the archive. Please see https://lists.debian.org/debian-devel/2015/05/msg00335.html for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#803713: Keep out of testing

Source: elasticsearch Severity: serious See DSA 3389, upstream security policies are not compatible with being in stable. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use deb

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

Package: jenkins Severity: grave Tags: security Justification: user security hole Hi, please see https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

On Mon, Nov 09, 2015 at 09:25:20AM +0100, Emmanuel Bourg wrote: > Hi Moritz, > > If I'm not mistaken this vulnerability is actually linked to a dangerous > deserialization in commons-collections if the input isn't properly > sanitized. Indeed, I intended to file a separate bug for those (but I wa

Bug#885338: CVE-2017-12165

Source: undertow Severity: important Tags: security The only source here is a report in Red Hat Bugzilla, so might be worth contacting upstream for additional information: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 Cheers, Moritz __ This is the maintainer address of Debian's Ja

Bug#825501: CVE-2016-4434

On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > That link says: > Versions Affected: > Apache Tika 0.10 to 1.1

Bug#632882: CVE-2011-2204

Package: tomcat6 Severity: grave Tags: security (Also applies to Tomcat 5.5 and Tomcat 6) Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204 This doesn't warrant a DSA, but could be fixed through a point update. Cheers, Moritz -- System Information: Debian Release:

Bug#632882: CVE-2011-2204

On Wed, Jul 06, 2011 at 09:49:17PM -0700, tony mancill wrote: > Hello Moritz, > > Thank you for filing the bug. I've uploaded an updated tomcat6 package > for unstable and will get the patch applied for the next tomcat7 upload > soon. I'll also look into an upload of 6.0.28 for stable proposed u

Bug#634992: CVE-2011-2526: Restriction bypass

Package: tomcat7 Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526 http://tomcat.apache.org/security-7.html The same applies to Tomcat 6 and Tomcat 5.5 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#611130: CVE-2010-2087

On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote: > On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote: > > What's the result? > > > > Upstream is totally unresponsive about this issue. > > I have reviewed changelog of subsequent releases and this doesn't > seem to

<    1   2