Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Guido Günther 
On Tue, Mar 28, 2017 at 05:48:16PM +0200, Markus Koschany wrote:
> Control: forcemerge 857343 858914
> 
> Am 28.03.2017 um 17:38 schrieb Guido Günther:
> > Package: logback
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > the following vulnerability was published for logback.
> > 
> > CVE-2017-5929[0]:
> > | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
> > | the SocketServer and ServerSocketReceiver components.
> 
> [...]
> 
> Hi Guido,
> 
> this is a duplicate of #857343 which I am going to fix very soon.

Yeah, I noticed after filing it. Sorry for the noise and thanks for
fixing it in sid. I've also added it to dla-needed
Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Guido Günther 
Package: logback
Severity: grave
Tags: security

Hi,

the following vulnerability was published for logback.

CVE-2017-5929[0]:
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
| the SocketServer and ServerSocketReceiver components.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#842666: CVE-2016-6797: Apache Tomcat Unrestricted Access to Global Resources

2016-10-31 Thread Guido Günther 
Package: tomcat7
Severity: important
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-6797[0]:
Apache Tomcat Unrestricted Access to Global Resources

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#842665: CVE-2016-6796 Apache Tomcat Security Manager Bypass

2016-10-31 Thread Guido Günther 
Package: tomcat7
Severity: important
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-6796[0]:
Apache Tomcat Security Manager Bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6796
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#842664: CVE-2016-6794: Apache Tomcat System Property Disclosure

2016-10-31 Thread Guido Günther 
Package: tomcat7
Severity: important
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-6794[0]:
Apache Tomcat System Property Disclosure

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#842663: CVE-2016-5018: Apache Tomcat Security Manager Bypass

2016-10-31 Thread Guido Günther 
Package: tomcat7
Severity: important
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-5018[0]:
Apache Tomcat Security Manager Bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#842662: CVE-2016-0762: Apache Tomcat Realm Timing Attack

2016-10-31 Thread Guido Günther 
Package: tomcat7
Severity: importantx
Tags: security

Hi,

the following vulnerability was published for tomcat7.

CVE-2016-0762[0]:
Apache Tomcat Realm Timing Attack

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-0762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-11 Thread Guido Günther 
Source: commons-httpclient
Version: 3.1-11
Severity: important

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892

Cheers,
 -- Guido

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-11 Thread Guido Günther 
Hi,
On Fri, Sep 11, 2015 at 04:20:42PM +0200, Emmanuel Bourg wrote:
> Le 11/09/2015 15:12, Guido Günther a écrit :
> 
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892
> 
> Thank you for the report Guido. A hanging connection is certainly
> annoying but I fail to understand why it's flagged as a security
> vulnerability.

Since a malicious server can starve client connections _although_ the
client took countermeasures to prevent this (by setting a timeout).

> Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> the version 4.3.6. So if this is really a security issue the
> httpcomponents-client package in stable and oldstable is also affected.

I do think so but I haven't checked yet and

https://bugzilla.redhat.com/show_bug.cgi?id=1261538

as well as

https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=13926162=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13926162

claim that it's not yet reproduced for httpcomponents-client 4.2.x
that's why I didn't file a but for httpcomponents-client yet until
this is investigated further.

Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#720343: Please add the --prefix option to /etc/default/jenkins

2013-08-20 Thread Guido Günther 
Package: jenkins
Version: 1.509.2+dfsg-1
Severity: wishlist
Tags: patch

Hi,
the attached becomes hand if one (like me) can't remember what to set
when running jenkins behind a reverse proxy.
Cheers,
 -- Guido


-- System Information:
Debian Release: jessie/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing'), (50, 'unstable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
From 827d9a2106704f42b6e5fe0bb6635572361f7a26 Mon Sep 17 00:00:00 2001
Message-Id: 827d9a2106704f42b6e5fe0bb6635572361f7a26.1377008162.git@sigxcpu.org
From: =?UTF-8?q?Guido=20G=C3=BCnther?= a...@sigxcpu.org
Date: Tue, 20 Aug 2013 16:11:09 +0200
Subject: [PATCH] Add --prefix option to /etc/default/jenkins

This becomes handy if you want to run jenkins behind a reverse
proxy.
---
 debian/jenkins.default | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/jenkins.default b/debian/jenkins.default
index 970..1ccefef 100644
--- a/debian/jenkins.default
+++ b/debian/jenkins.default
@@ -61,6 +61,7 @@ AJP_HOST=127.0.0.1
 # --argumentsRealm.passwd.$ADMIN_USER=[password]
 # --argumentsRealm.$ADMIN_USER=admin
 # --webroot=~/.jenkins/war
+# --prefix=/jenkins
 JENKINS_ARGS=--webroot=$JENKINS_RUN/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT
 JENKINS_ARGS=$JENKINS_ARGS --httpListenAddress=$HTTP_HOST --ajp13ListenAddress=$AJP_HOST
 JENKINS_ARGS=$JENKINS_ARGS --preferredClassLoader=java.net.URLClassLoader
-- 
1.8.4.rc3

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#704845: Needs a versioned dependency on jenkins-common

2013-04-06 Thread Guido Günther 
Package: jenkins
Version: 1.480.3+dfsg-1~exp1
Severity: critical

Hi,
after upgrading jenkins from the Wheezy to the above version the GUI
didn't show the option to initiate the rekeying as described in
NEWS.Debian. I needed to also upgrade jenkins-common to have this shown. 
(which makes sense since this one conains the war).

Please make the dependency on jenkins-common a versioned one since
people will apt-get install jenkins not jenkins-common.

Cheers and thanks for maintaining jenkins in Debian,
 -- Guido


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#660688: [jenkins] Please enable maven-plugin

2013-04-06 Thread Guido Günther 
On Mon, Feb 20, 2012 at 09:38:37PM +0100, Jakub Adam wrote:
 Package: jenkins
 Version: 1.424.2+dfsg-2
 Severity: wishlist
 
 --- Please enter the report below this line. ---
 
 Please enable building and packaging of maven-plugin (and possibly other 
 Jenkins plugins
 that are part of the core tarball). Jenkins Maven plugin is a dependency of 
 another plugin
 that I'd like to package (Copy Artifact Plugin).

Any progress here. Lots of plugins are pretty useless without it.
Cheers,
 -- Guido

 
 Thanks
 
 Jakub
 
 --- System information. ---
 Architecture: amd64
 Kernel:   Linux 3.2.0-1-amd64
 
 Debian Release: wheezy/sid
   500 unstableftp.cz.debian.org
   500 unstableemdebian.org
   500 testing www.debian-multimedia.org
   500 testing security.debian.org
   500 testing ftp.cz.debian.org
 1 experimentalftp.debian.org
 
 --- Package information. ---
 Depends (Version) | Installed
 =-+-===
 adduser   | 3.113+nmu1
 default-jre-headless  | 1:1.6-46
  OR java6-runtime-headless|
 jenkins-common| 1.424.2+dfsg-2
 daemon| 0.6.4-1
 psmisc| 22.15-2
 
 
 Package's Recommends field is empty.
 
 Package's Suggests field is empty.
 
 
 
 
 
 

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#704848: Restarting jenkins fails reliably

2013-04-06 Thread Guido Günther 
Package: jenkins
Version: 1.480.3+dfsg-1~exp1
Severity: important

Hi,
restarting jenkins fails reliably with:

# /etc/init.d/jenkins restart
[] Restarting Jenkins Continuous Integration Server: jenkinsThe selected 
http port (8080) seems to be in use by another program 
Please select another port to use for jenkins
 failed!

Starting it again shortly afterwards works as expected. 
Cheers,
 -- Guido


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#660688: [jenkins] Please enable maven-plugin

2013-04-06 Thread Guido Günther 
On Mon, Jul 30, 2012 at 02:05:19PM +0200, Christoph Berg wrote:
 Re: James Page 2012-07-30 50167644.2040...@ubuntu.com
  Please note that it is possible to use the maven-plugin as distributed
  by upstream - so you should still be able to use this plugin.
 
 I tried to, but I couldn't find it listed in the Available tab. I
 guess that's because they assume it is included in core.

I grabbed

http://pkg.jenkins-ci.org/debian/binary/jenkins_1.480_all.deb

and moved the maven-plugin.hpi and javadoc.hpi to
/var/lib/jenkins/plugins. Created directories there without the hpi and
unzipped the files into it. This seems to serve as a workaround.
Cheers,
 -- Guido

 
 Christoph
 -- 
 c...@df7cb.de | http://www.df7cb.de/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#660688: [jenkins] Please enable maven-plugin

2013-04-06 Thread Guido Günther 
On Sat, Apr 06, 2013 at 09:29:52PM +0100, James Page wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 On 06/04/13 18:36, Guido Günther wrote:
  Re: James Page 2012-07-30 50167644.2040...@ubuntu.com
  Please note that it is possible to use the maven-plugin as
  distributed by upstream - so you should still be able to
  use this plugin.
  
  I tried to, but I couldn't find it listed in the Available
  tab. I guess that's because they assume it is included in
  core.
  I grabbed
  
  http://pkg.jenkins-ci.org/debian/binary/jenkins_1.480_all.deb
  
  and moved the maven-plugin.hpi and javadoc.hpi to 
  /var/lib/jenkins/plugins. Created directories there without the hpi
  and unzipped the files into it. This seems to serve as a
  workaround.
 
 You should be able to install the maven plugin from the Jenkins Web UI
 - - I think its titled 'Maven 2 Plugin'.

Tried that but it doesn't seem to werk for plugins already shipped with
upstream Jenkins. It didn't show up for me.
Cheers,
 -- GUido

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-30 Thread Guido Günther 
Hi James,
On Thu, Jan 10, 2013 at 05:03:44PM +, James Page wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 On 10/01/13 15:46, Miguel Landaeta wrote:
  We might want to consider whether updating unstable/testing to
  1.480.2 is actually the best way forward at this point in
  time.
  Hi James,
  
  I don't know if it is feasible at this point in the release cycle
  to have a new upstream release of jenkins in sid even if it fixes
  some security issues.
 
 Agreed; its a last resort.
 
  I backported the fix for CVE-2013-0158 from stable branch and I 
  applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a 
  FTBFS. I don't have time to review it right now but I'll go back to
  it later.
  
  I'm attaching the debdiff I got and the FTBFS log error.
 
 I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
 similar issues. The key problem is the extent of the patch to fix this
 issue and the amount of code change in the TCP/Agent communication
 area between 1.480.2 and earlier versions we already have packaged.
 
 I'm trying to get some advice from upstream on this - hopefully I'll
 hear back in the next ~24hrs

Any news on this one. Jenkins has become a candidate for removal due
to this one and I'd be sad to see a release without it.
Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#524966: not installable in unstable

2009-04-21 Thread Guido Günther 
Package: maven-debian-helper
Severity: normal

Hi,
the package depends on libmaven-compiler-plugin-java which depends on
libmaven-plugin-tools-java which depends on libdoxia-sitetools-java.
However maven2 itself depends on libdoxia-java which conflicts with
libdoxia-sitetools-java. I guess the dependency of maven simply has to
be changed to libdoxia-sitetool-java?
Cheers,
 -- Guido


-- System Information:
Debian Release: squeeze/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing'), (50, 'unstable'), (1, 
'experimental')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.28-rc8-00058-g921171e
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers