Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-11 Thread Sébastien Delafond
On Apr/10, Felix Natter wrote: > Yes and no. On jessie the patch did not cleanly apply, so I would have > had to apply that change manually. Since removing the import has no > effect on the semantics of the program (as long as it still compiles), > I was too lazy. It should be ok. Let's leave it t

Bug#888316: jackson-databind: CVE-2018-5968

2018-02-10 Thread Sébastien Delafond
On Jan/27, Markus Koschany wrote: > I have prepared security updates of jackson-databind for Stretch and > Jessie and would appreciate another look at the patches. > > The fix for CVE-2018-5968 is straightforward. The blacklist is simply > extended. > > However upstream decided to refactor the co

Bug#857343: #857343: logback deserialization vulnerability

2017-03-28 Thread Sébastien Delafond
On Mar/28, Markus Koschany wrote: > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot v

Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass

2015-04-15 Thread Sébastien Delafond
On Apr/15, Markus Koschany wrote: > I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The > patch is identical to the Jessie / Sid fix. Do you consider this > vulnerability important enough for a DSA or do you prefer a point > release update? Hi Markus, this issue was marked "no

Bug#780897: wheezy-security update for batik (CVE-2015-0250)

2015-03-26 Thread Sébastien Delafond
On Mar/25, tony mancill wrote: > I have prepared an update for batik [1] in wheezy to address > CVE-2015-0250. Attached is the debdiff. Please let me know if you > would like me to upload it. Hi Tony, I've reviewed your debdiff and it looks good. Please upload to security-master-unembargoed, an

Bug#734821: 734821

2014-10-10 Thread Sébastien Delafond
notfixed 734821 1.4.7-1 thanks This bug was actually never in Debian, since it was introduced in 1.4.5 and closed in 1.4.7. If anyone is interested in verifying this, the following code can be run against the JARs present at http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:

[jruby] Package based on latest upstream

2012-06-18 Thread Sébastien Delafond
Hi fellows, I've been packaging jruby 1.6.7.2, and would like to upload it quite soon, in hopes of beating the freeze and having a decently recent version of jruby in wheezy. I'm attaching to this email the diff between 1.5.6-3's debian/ directory, and mine, the main change being that I've had to

Re: planning (a) hsqldb transition(s)

2012-04-30 Thread Sébastien Delafond
On Apr/30, Rene Engelhard wrote: > Hi, > > On Fri, Apr 13, 2012 at 04:31:31PM +0200, Rene Engelhard wrote: > > > so I'd like to upload that to unstable (and adapt libreoffice) if it > > > happens. > > > > > > But this problem makes me ask > > > > > > Q1) does anyone of your programs using libhs

Re: JRuby packaging

2011-09-13 Thread Sébastien Delafond
Hi Alex, a while ago I transferred maintenance of jruby over to the Debian Java Maintainers, whom I cc'ed to this email. They'll probably be able to tell you more... Cheers, --Seb On Sep/12, Alex Young wrote: > Hi there, > > I'm emailing you because your name is on the Debian jruby-1.5.1 > pac

Re: [packaging] JRuby in Debian

2010-12-06 Thread Sébastien Delafond
Hi Thomas, jruby is now being packaged by the Debian Java Maintainers, whose main goal is to get jruby back into main again. I'm cc'ing the team to this email, as I'm sure they'll be interested in working closely with such a responsive upstream ;) Cheers, --Seb On Dec/02, Thomas E Enebo wrote: