Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

Hi, I don't have much time to contribute to this discussion, but let me make a few remarks. It may be useful to realign expectations and to spend our resources more wisely. On Mon, Dec 11, 2017 at 12:11:20PM +0100, Emmanuel Bourg wrote: > Le 10/12/2017 à 15:38, Markus Koschany a écrit : > > >

Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

On Sat, Dec 09, 2017 at 11:43:38PM +0100, Emmanuel Bourg wrote: > Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit : > > > I'd say let's kick it out, then. We have a build dependency (and run time > > dependencies) on libspring-java, can we axe it out there? > > jaspe

Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

On Wed, Nov 01, 2017 at 08:42:43PM +0100, Markus Koschany wrote: > Short update: > > One staff member told me that my options are to read the advisories, > which don't contain any detailed information or patches, or, if I have a > commercial license, to contact support. Great, let's buy a license

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Mon, Oct 02, 2017 at 05:09:29PM +0200, Emmanuel Bourg wrote: > Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit : > > > Java maintainers, shall we follow the procedures for openjdk and > > rebase to a new upstream release in stretch? > > Yes please, that's the only sustainable solution for

Bug#793492: Bug#814176: azureus: (Build-)Depends on OpenJDK 7

On Wed, Mar 09, 2016 at 09:10:50PM +0100, Markus Koschany wrote: > Am 09.03.2016 um 20:53 schrieb Stephen Nelson: > > > > On Wed, Mar 9, 2016 at 4:03 PM Markus Koschany > > wrote: > > > > > > This issue is fixed in Git but Stephen Nelson wanted to

Bug#864405: CVE-2016-2666

retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670 thx Moritz Muehlenhoff wrote: > > There's no other reference that what Red Hat published here: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666 Also: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670 Cheers,

Bug#863811: CVE-2017-5637

On Thu, Jun 01, 2017 at 08:17:21AM -0700, tony mancill wrote: > On Wed, May 31, 2017 at 02:45:18PM +0200, Moritz Muehlenhoff wrote: > > Source: zookeeper > > Severity: grave > > Tags: security > > > > Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693 > > > > Fix is referenced here:

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote: > Hi, > > a bug was reported against tomcat8 and tomcat7 in Jessie and it seems > the issue is related to our latest security updates. We would like to > address this regression as soon as possible because this one can be >

Bug#819259: Don't include in stretch

On Fri, Mar 25, 2016 at 06:14:35PM +0100, Emmanuel Bourg wrote: > Le 25/03/2016 18:07, Moritz Muehlenhoff a écrit : > > > stretch should only provide one version of Tomcat. > > I agree, however like tomcat6 we'll keep the src:tomcat7 package to > build the Servlet API only (libservlet3.0-java).

Bug#792857: CVE-2014-3576

On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote: The fix has been confirmed by an upstream developer: http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E Could you prepare updated packages

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

On Sun, Jun 21, 2015 at 02:56:36PM +0200, Hilko Bengen wrote: * Salvatore Bonaccorso: Did you had a chance to get more details on it? ,[ http://seclists.org/bugtraq/2015/Jun/53 ] | Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered | attack on other applications on

Re: tomcat6 DSA for wheezy

On Mon, Apr 27, 2015 at 06:30:20PM +0200, Holger Levsen wrote: Hi, sorry, this somehow slipped through... On Samstag, 17. Januar 2015, Moritz Mühlenhoff wrote: On Tue, Dec 30, 2014 at 02:04:57PM +0100, Holger Levsen wrote: On Dienstag, 30. Dezember 2014, Moritz Mühlenhoff wrote: Do

Bug#774050: CVE-2014-9390

On Tue, Dec 30, 2014 at 08:13:08AM -0800, tony mancill wrote: On 12/30/2014 05:18 AM, Emmanuel Bourg wrote: Here are the relevant commits to backport: Always ignore case when forbidding .git in ObjectChecker https://github.com/eclipse/jgit/commit/07612a6 Disallow .git. and .gitspace

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote: Hi, On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: Is there an example available somewhere of a subject improperly parsed by commons-httpclient/3.1-10.2?

Re: tomcat6 DSA for wheezy

On Mon, Dec 15, 2014 at 04:23:30PM +0100, Holger Levsen wrote: Hi, This update itself fixes no security issues but is needed for libtcnative-1 users as version 1.1.20 from Squeeze does not work with tomcat6 6.0.41 from Squeeze LTS. Do we also need to update tomcat-native in wheezy or is

Bug#758516: Struts 1.2 should not be shipped with jessie

On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote: Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit : That's not how we handle in Debian: If a library is shipped in Debian, it is fully supported to be used by local libs. Anything in /usr/local or installed through Maven is

Bug#758516: Struts 1.2 should not be shipped with jessie

On Fri, Sep 12, 2014 at 11:34:31PM +0200, Emmanuel Bourg wrote: Looking at the reverse dependencies of libstruts1.2-java, it seems it isn't much used. There are: - src:libspring-java, it builds libspring-web-struts-java which isn't used. - src:easyconf, it builds libeasyconf-java with a

Bug#686867: jruby: CVE-2011-4838

tags 686867 patch thanks On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote: Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838

Bug#677814: Bug#670901: Spring: Multiple security issues

to fix CVE-2011-2730. You can find it on http://people.debian.org/~drazzib/security/ Could you please review it ? Please direct this to t...@security.debian.org Thanks! Cheers, Moritz -- Moritz Mühlenhoff muehlenh...@univention.de Open Source Software Engineer

Bug#611130: CVE-2010-2087

On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote: On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote: #tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion

Bug#667000: Rebuilding objenesis from source makes mockito FTBFS

.jar /usr/share/java/objenesis.jar Attached patch fixes this, I'd appreciate some review from someone with more Java packaging foo, though. Cheers, Moritz -- Moritz Mühlenhoff muehlenh...@univention.de Open Source Software Engineer Univention GmbH Linux for Your

Bug#662789: sisu-ioc: Fix FTBFS and ensure jar's installed to /usr/share/java

exit status 2 -- Moritz Mühlenhoff muehlenh...@univention.de Open Source Software Engineer and Consultant Univention GmbH Linux for Your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99 http://www.univention.de

Bug#657870: Multiple issues in Struts

On Tue, Feb 21, 2012 at 12:53:47AM +0100, Damien Raude-Morvan wrote: Hi Moritz, Le jeudi 16 février 2012 19:42:09, Damien Raude-Morvan a écrit : On 09/02/2012 21:16, Moritz Mühlenhoff wrote: There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012

Bug#657870: Multiple issues in Struts

On Wed, Feb 01, 2012 at 10:46:51PM -0800, tony mancill wrote: On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote: Package: libstruts1.2-java Severity: grave Tags: security Hi, several vulnerabilities have been reported against Struts:

Re: Tomcat for Squeeze

On Thu, Jan 05, 2012 at 02:53:41PM -0430, Miguel Landaeta wrote: On Thu, Jan 5, 2012 at 1:43 PM, Moritz Muehlenhoff j...@inutil.org wrote: currently there's Tomcat 6 and Tomcat 7 in Wheezy. Will 6 be dropped before the Wheezy relese? It would be good to only have one version in Wheezy. I

Bug#645881: critical update 29 available

On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my

Bug#645881: critical update 29 available

On Fri, Oct 21, 2011 at 11:07:30AM +0200, Florian Weimer wrote: * Moritz Muehlenhoff: As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the

Bug#611130: CVE-2010-2087

On Thu, Jan 27, 2011 at 09:53:10AM -0430, Miguel Landaeta wrote: On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. I just notified upstream to

Bug#611138: CVE-2010-4438

On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote: Hi, Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit : See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 Please get in touch with Oracle to check, what unspecified vulnerability they