Bug#696816: jenkins: Security issues were found in Jenkins core

2012-12-28 Thread Salvatore Bonaccorso
Hi On Fri, Dec 28, 2012 at 01:17:46AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated high severity. See:

Bug#697617: jenkins: remote code execution vulnerability

2013-01-07 Thread Salvatore Bonaccorso
Control: retitle -1 jenkins: CVE-2013-0158: remote code execution vulnerability Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory,

Bug#700761: jenkins: multiple security vulnerabilities

2013-02-20 Thread Salvatore Bonaccorso
Hi The following CVE's where assigned now to it[1]. Could you please include the CVE identifiers when fixing the package. [1]: http://marc.info/?l=oss-securitym=136142857313675w=2 CVE-2013-0327 CVE-2013-0328 CVE-2013-0329 CVE-2013-0330 CVE-2013-0331

Bug#697617: jenkins: remote code execution vulnerability

2013-03-01 Thread Salvatore Bonaccorso
Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See:

Bug#720375: libxml-security-java: CVE-2013-2172

2013-08-21 Thread Salvatore Bonaccorso
Package: libxml-security-java Severity: grave Tags: security patch upstream fixed-upstream Hi, the following vulnerability was published for libxml-security-java. CVE-2013-2172[0]: Java XML Signature spoofing attack If you fix the vulnerability please also make sure to include the CVE (Common

Problems when building binary package of libcommons-fileupload-java under wheezy

2013-12-21 Thread Salvatore Bonaccorso
to Marc Deslauriers marc.deslauri...@ubuntu.com (Closes: #726601) + + -- Salvatore Bonaccorso car...@debian.org Sat, 21 Dec 2013 11:12:53 +0100 + libcommons-fileupload-java (1.2.2-1) unstable; urgency=low * New upstream release. diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013

Re: Problems when building binary package of libcommons-fileupload-java under wheezy

2013-12-21 Thread Salvatore Bonaccorso
Hi Emmanuel, On Sat, Dec 21, 2013 at 05:58:33PM +0100, Emmanuel Bourg wrote: Le 21/12/2013 16:02, Salvatore Bonaccorso a écrit : Any idea what is happening? Hi Salvatore, I can't check in detail now, but the --java-lib flag is probably missing from the debian/libcommons-fileupload

Re: Problems when building binary package of libcommons-fileupload-java under wheezy

2013-12-22 Thread Salvatore Bonaccorso
Hi Emmanuel, hi Debian Java Maintainers, On Sat, Dec 21, 2013 at 09:30:49PM +0100, Emmanuel Bourg wrote: Le 21/12/2013 19:24, Salvatore Bonaccorso a écrit : Thanks, this indeed seems to make it better. I have uploade the resulting preliminary packages to [1]. If you have time in the coming

Bug#734821: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

2014-01-09 Thread Salvatore Bonaccorso
Package: libxstream-java Severity: grave Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2013-7285[0]: remote code execution via deserialization in XStream See also [1] for the original report. [3] contains an initial patch which was commited. If

Bug#739067: jenkins: multiple security vulnerabilities

2014-02-20 Thread Salvatore Bonaccorso
Hi, On Sun, Feb 16, 2014 at 01:45:49AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.509.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory. In this advisory, some vulnerabilities are rated high severity.

Bug#742577: libxalan2-java: CVE-2014-0107: Xalan-Java insufficient secure processing

2014-03-24 Thread Salvatore Bonaccorso
Source: libxalan2-java Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libxalan2-java, could you please verify. CVE-2014-0107[0]: Xalan-Java insufficient secure processing If you fix the vulnerability please also make sure to include the

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

2014-08-18 Thread Salvatore Bonaccorso
Hi Emanuel, On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: Hi Henri, Thank you for the report. Is there an example available somewhere of a subject improperly parsed by commons-httpclient/3.1-10.2? This would help backporting the fix to this version. I think this is

Bug#759736: elasticsearch: CVE-2014-3120

2014-08-29 Thread Salvatore Bonaccorso
Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic |

Bug#753470: libspring-java: CVE-2014-0225

2014-09-06 Thread Salvatore Bonaccorso
Hi Tony, On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote: On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff j...@inutil.org wrote: Package: libspring-java Severity: grave Tags: security Justification: user security hole Hi, please see

Bug#767541: jenkins: CVE-2014-3665

2014-10-31 Thread Salvatore Bonaccorso
Source: jenkins Severity: important Tags: security upstream Hi, See [1] and [2] for details on CVE-2014-3665. [1] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30 [2] https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control Regards,

Bug#770544: resteasy: CVE-2014-7839: External entities expanded by DocumentProvider

2014-11-22 Thread Salvatore Bonaccorso
Source: resteasy Version: 3.0.6-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for resteasy. I have choosen severity grave due to what is described in Red Hat's bugzilla about the issue, but I don't know jboss/resteasy/... well enough, so feel free to

Bug#777079: jython: CVE-2013-2027

2015-02-04 Thread Salvatore Bonaccorso
Source: jython Version: 2.5.2-1 Severity: important Tags: security upstream Hi Several issues were mentioned in Red Hat Bugzilla at [0] referencing the issue which creates executables class files with wrong permissions with CVE-2013-2027. At least it seems present in the Debian package that the

Bug#780897: batik: CVE-2015-0250

2015-03-22 Thread Salvatore Bonaccorso
Hi Tony, On Sat, Mar 21, 2015 at 04:31:38PM -0700, tony mancill wrote: On 03/21/2015 12:07 AM, Salvatore Bonaccorso wrote: Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0

Bug#780897: batik: CVE-2015-0250

2015-03-21 Thread Salvatore Bonaccorso
Source: batik Version: 1.7-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2015-0250[0]: information disclosure If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your

Bug#780383: libopensaml2-java: CVE-2015-1796

2015-03-13 Thread Salvatore Bonaccorso
Source: libopensaml2-java Version: 2.6.2-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libopensaml2-java. Note that I don't know libopensaml2-java well enough, so could you assess if this affeccts Debian as well, and if the severity is

Bug#780383: libopensaml2-java: CVE-2015-1796

2015-03-13 Thread Salvatore Bonaccorso
Hi Emmanuel, Thanks for the quick feedback. On Fri, Mar 13, 2015 at 10:42:41AM +0100, Emmanuel Bourg wrote: Hi Salvatore, Thank you for the report. Looking at the commit r1680 mentioned on the security tracker I fail to see how it addresses the vulnerability described. I suspect this is

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

2015-06-20 Thread Salvatore Bonaccorso
Hi Hilko On Fri, Jun 12, 2015 at 01:45:15PM +0200, Salvatore Bonaccorso wrote: Hi Hilko, On Fri, Jun 12, 2015 at 01:30:28PM +0200, Hilko Bengen wrote: Control: tags -1 moreinfo * Salvatore Bonaccorso: Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

2015-06-11 Thread Salvatore Bonaccorso
Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for elasticsearch. Unfortunately the available information is a bit sparse, thus filling with initial severity grave. CVE-2015-4165[0]: unspecified

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

2015-06-12 Thread Salvatore Bonaccorso
Hi Hilko, On Fri, Jun 12, 2015 at 01:30:28PM +0200, Hilko Bengen wrote: Control: tags -1 moreinfo * Salvatore Bonaccorso: Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Where exactly has it been fixed upstream? A git coommit id

Bug#792857: CVE-2014-3576

2015-08-14 Thread Salvatore Bonaccorso
Hi Emmanual, On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote: The fix has been confirmed by an upstream developer: http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E Any news on an update

Bug#792857: CVE-2014-3576

2015-08-14 Thread Salvatore Bonaccorso
Hi Emmanuel, On Fri, Aug 14, 2015 at 11:50:18AM +0200, Emmanuel Bourg wrote: Le 14/08/2015 11:42, Salvatore Bonaccorso a écrit : Any news on an update for sid-stretch as well? I can't do it before the end of the month. I'll combine the fix with an update to the version 2.7. I see. I

Bug#792617: elasticsearch: CVE-2015-5377 CVE-2015-5531

2015-07-16 Thread Salvatore Bonaccorso
Source: elasticsearch Version: 1.0.3+dfsg-5 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Hi, the following vulnerabilities were published for elasticsearch. Reporting them right now as severity grave since some details are missed so feel free to

Bug#791957: apache-directory-api: CVE-2015-3250

2015-07-09 Thread Salvatore Bonaccorso
Source: apache-directory-api Version: 1.0.0~M20-1 Severity: important Tags: security upstream fixed-upstream Hi Emmanuel, the following vulnerability was published for apache-directory-api, filling a bug in the BTS to have it documented. AFAICS no much information but it is fixed in new upstream

Bug#797275: jsoup: CVE-2015-6748: XSS vulnerability in jsoup related to incomplete tags at EOF

2015-08-28 Thread Salvatore Bonaccorso
Source: jsoup Version: 1.6.2-1 Severity: important Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for jsoup. CVE-2015-6748[0]: XSS vulnerability in jsoup related to incomplete tags at EOF If you fix the vulnerability please also make sure to include

Bug#809733: activemq: CVE-2015-5254: unsafe deserialization

2016-01-03 Thread Salvatore Bonaccorso
Source: activemq Version: 5.6.0+dfsg-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for activemq. I'm not very familiar with activemq itself, so I'm reporting this with initial severity grave, but let me know if you disagree.

Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

2016-06-18 Thread Salvatore Bonaccorso
Source: netty Version: 1:4.0.36-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for netty. Can you please double-check this issue. According the upstream all versions 4.0.0.Final - 4.0.36.Final and 4.1.0.Final would be affected, and fixed in

Bug#819455: libxstream-java: CVE-2016-3674: XXE vulnerability

2016-03-28 Thread Salvatore Bonaccorso
Source: libxstream-java Version: 1.4.2-1 Severity: important Tags: security upstream fixed-upstream Forwarded: https://github.com/x-stream/xstream/issues/25 Hi, the following vulnerability was published for libxstream-java. CVE-2016-3674[0]: XXE vulnerability If you fix the vulnerability

Bug#827620: netty: CVE-2016-4970: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

2016-06-20 Thread Salvatore Bonaccorso
Hi Emmanuel, On Mon, Jun 20, 2016 at 10:07:04AM +0200, Emmanuel Bourg wrote: > Le 19/06/2016 à 00:18, tony mancill a écrit : > > > I haven't seen any information as to whether this vulnerability also > > affects the version in stable, 3.2.6. > > I don't think Jessie is affected, the vulnerable

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

2017-01-22 Thread Salvatore Bonaccorso
Hi Markus, Thanks for looking into the issue. On Sun, Jan 22, 2017 at 09:28:31PM +0100, Markus Koschany wrote: > On Fri, 20 Jan 2017 21:34:16 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: netbeans > > Version: 8.1+dfsg3-1 > > Severity: importa

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

2017-01-30 Thread Salvatore Bonaccorso
Hi Markus, On Tue, Jan 24, 2017 at 01:10:00AM +0100, Markus Koschany wrote: > On 23.01.2017 07:23, Salvatore Bonaccorso wrote: > > Hi Markus, > > > > Thanks for looking into the issue. > [...] > > I agree, upstream has not really provided any usefull information, an

Bug#853134: svgsalamander: CVE-2017-5617

2017-01-29 Thread Salvatore Bonaccorso
Source: svgsalamander Version: 1.1.1+dfsg-1 Severity: important Tags: upstream security Forwarded: https://github.com/blackears/svgSalamander/issues/11 Hi, the following vulnerability was published for svgsalamander. CVE-2017-5617[0]: SSRF issue If you fix the vulnerability please also make

Bug#852029: netbeans: CVE-2016-5537: Import directory traversal

2017-01-20 Thread Salvatore Bonaccorso
Source: netbeans Version: 8.1+dfsg3-1 Severity: important Tags: security upstream fixed-upstream Control: fixed -1 8.2+dfsg1-1 Hi, the following vulnerability was published for netbeans. CVE-2016-5537[0]: | Unspecified vulnerability in the NetBeans component in Oracle Fusion | Middleware 8.1

Bug#854551: Status of regression fix?

2017-02-22 Thread Salvatore Bonaccorso
Hi On Wed, Feb 22, 2017 at 12:24:05PM +0100, Nicolas Delvaux wrote: > Hi, > > Do you know when the regression fixes will be available in the security > repository? > > I understand the debdiffs were uploaded to security-master 2 days ago, > but I did not find where we can track the progress.

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-20 Thread Salvatore Bonaccorso
Hi Markus, On Sat, Feb 18, 2017 at 07:53:33PM +0100, Markus Koschany wrote: > On 18.02.2017 13:21, Salvatore Bonaccorso wrote: > [...] > > No problem. Thanks for noticing, can you let us know as usual when you > > have a debdiff ready for the regression update? >

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

2017-02-17 Thread Salvatore Bonaccorso
Hi Markus, hi Emmanuel, On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: > On 13.02.2017 08:34, Moritz Mühlenhoff wrote: > > On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote: > >> Hi, > >> > >> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems >

Bug#851304: tomcat8 use 100% cpu time

2017-02-18 Thread Salvatore Bonaccorso
Hi Markus, On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote: > On 17.02.2017 22:09, Salvatore Bonaccorso wrote: > > Hi Markus, hi Emmanuel, > > > > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote: > >> On 13.02.2017 08:34, Moritz Mühle

Bug#840000: libapache-mod-jk: CVE-2016-6808

2016-10-07 Thread Salvatore Bonaccorso
Hi Markus, On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote: > On 07.10.2016 14:15, Salvatore Bonaccorso wrote: > [...] > > > > Now whilst the affected code is back present in 1.2.0, I need some > > help understanding the actual impact for us. Accord

Bug#840000: libapache-mod-jk: CVE-2016-6808

2016-10-07 Thread Salvatore Bonaccorso
On Fri, Oct 07, 2016 at 02:15:32PM +0200, Salvatore Bonaccorso wrote: > Can you clarify if this is correct? If so we would mark the CVE as > (unimportant) and thus as well not release a DSA, and a 1:1.2.42 > upload to unstable can then mark the CVE as fixed. ... or actually (Windows

Bug#840000: libapache-mod-jk: CVE-2016-6808

2016-10-07 Thread Salvatore Bonaccorso
Source: libapache-mod-jk Version: 1:1.2.41-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for libapache-mod-jk. CVE-2016-6808[0]: buffer overflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities &

Bug#840000: libapache-mod-jk: CVE-2016-6808

2016-10-07 Thread Salvatore Bonaccorso
Control: found -1 1:1.2.37-4 Hi On Fri, Oct 07, 2016 at 01:26:00PM +0200, Salvatore Bonaccorso wrote: > Source: libapache-mod-jk > Version: 1:1.2.41-1 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for libapac

Bug#838204: jackrabbit: CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

2016-09-18 Thread Salvatore Bonaccorso
Source: jackrabbit Version: 2.3.6-1 Severity: important Tags: security upstream fixed-upstream Hi, the following vulnerability was published for jackrabbit. CVE-2016-6801[0]: CSRF in Jackrabbit-Webdav using empty content-type For the 2.12.x this has been fixed upstream in 2.12.3, cf. [1], and

Bug#838600: undertow: CVE-2016-7046: Long URL proxy request lead to java.nio.BufferOverflowException and DoS

2016-09-22 Thread Salvatore Bonaccorso
Source: undertow Version: 1.4.1-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for undertow. CVE-2016-7046[0]: Long URL proxy request lead to java.nio.BufferOverflowException and DoS If you fix the vulnerability please also make sure to include the

Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)

2016-10-14 Thread Salvatore Bonaccorso
Control: severity -1 normal Control: found -1 8.0.14-1 Hi Paul, On Sat, Oct 15, 2016 at 07:25:59AM +1100, paul.sz...@sydney.edu.au wrote: > Dear Salvatore, > > > You are operating here outside of /tmp (sticky world-writable > > directory) which the above issue for the init scripts relies on, >

Bug#840685: tomcat8: DSA-3670 incomplete

2016-10-14 Thread Salvatore Bonaccorso
Hi Paul, hi Markus, On Fri, Oct 14, 2016 at 08:42:11AM +1100, paul.sz...@sydney.edu.au wrote: > Dear Markus, > > >> [ I contacted t...@security.debian.org about this, but no response ... ] > > ... Please send them to the security team > > first and not to a public mailing list. > > I did. They

sorry, messed up #840685 and #841655

2016-10-21 Thread Salvatore Bonaccorso
Hi Emmanuel, Sorry messed up #840685 and #841655. Hope they should be okay again. Salvatore __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and

reassign 840685 to src:tomcat8, closing 840685

2016-10-21 Thread Salvatore Bonaccorso
# sigh, messed the reassigned/cloned bug ... fixing reassign 840685 src:tomcat8 8.0.14-1 close 840685 8.0.38-1 thanks __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org

Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)

2016-10-14 Thread Salvatore Bonaccorso
Hi Paul, Markus followed already up, I just want to give some additional comments on the below: On Fri, Oct 14, 2016 at 07:07:52PM +1100, paul.sz...@sydney.edu.au wrote: > Dear Salvatore, > > > ... if the attacher created a symlink between the rm and the mkdir > > then mkdir will still fail

Bug#849167: libspring-java: CVE-2016-9878

2016-12-22 Thread Salvatore Bonaccorso
Source: libspring-java Version: 4.3.4-3 Severity: important Tags: security patch upstream Hi, the following vulnerability was published for libspring-java. CVE-2016-9878[0]: Directory Traversal in the Spring Framework ResourceServlet Interesting, is that the code in

Bug#857343: #857343: logback deserialization vulnerability

2017-03-28 Thread Salvatore Bonaccorso
Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Hi Markus, On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote: > Hello security team, > > apparently logback < 1.2.0 is vulnerable to a

Bug#857343: #857343: logback deserialization vulnerability

2017-03-28 Thread Salvatore Bonaccorso
Hi Markus, On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote: > Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso: > [...] > > There apparently was a mistake on triaging CVE-2017-5929. > > > > This should be: > > https://security-tracker.de

Bug#851430: CVE-2016-9571

2017-03-28 Thread Salvatore Bonaccorso
Control: retitle -1 resteasy: CVE-2016-9606 Just a heads up: apparently the CVE was double-assigned, the correct CVE turns out to be CVE-2016-9606. Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1400644#c17 Regards, Salvatore __ This is the maintainer address of Debian's Java team

Bug#858301: libapache-poi-java: CVE-2017-5644

2017-03-20 Thread Salvatore Bonaccorso
Source: libapache-poi-java Version: 3.10.1-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libapache-poi-java. CVE-2017-5644[0]: denial-of-service If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities &

Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

2017-04-11 Thread Salvatore Bonaccorso
Hi Markus, On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote: > Processing control commands: > > > merge 860068 860069 860070 860071 > Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647 > Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648 > Marked as found in versions

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

2017-04-11 Thread Salvatore Bonaccorso
Hi, On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote: > Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso: > > Hi Markus, > > > > On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote: > >> Processing control commands: > &g

Bug#860069: tomcat8: CVE-2017-5648

2017-04-10 Thread Salvatore Bonaccorso
Source: tomcat8 Version: 8.0.14-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for tomcat8. CVE-2017-5648[0]: |While investigating bug 60718, it was noticed that some calls to |application listeners did not use the appropriate facade object. When

Bug#860070: tomcat8: CVE-2017-5650

2017-04-10 Thread Salvatore Bonaccorso
Source: tomcat8 Version: 8.5.11-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5650[0]: |The handling of an HTTP/2 GOAWAY frame for a connection did not close |streams associated with that connection that were currently waiting

Bug#860071: tomcat8: CVE-2017-5651

2017-04-10 Thread Salvatore Bonaccorso
Source: tomcat8 Version: 8.5.11-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5651[0]: |The refactoring of the HTTP connectors for 8.5.x onwards, introduced a |regression in the send file processing. If the send file processing

Bug#860068: tomcat8: CVE-2017-5647

2017-04-10 Thread Salvatore Bonaccorso
Source: tomcat8 Version: 8.0.14-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for tomcat8. CVE-2017-5647[0] |A bug in the handling of the pipelined requests when send file was |used resulted in the pipelined request being lost when send file

Bug#860866: activemq: CVE-2015-7559: DoS in client via shutdown command

2017-04-21 Thread Salvatore Bonaccorso
Source: activemq Version: 5.6.0+dfsg1-4 Severity: important Tags: upstream patch security Forwarded: https://issues.apache.org/jira/browse/AMQ-6470 Hi, the following vulnerability was published for activemq. CVE-2015-7559[0]: DoS in client via shutdown command If you fix the vulnerability

Bug#860489: apache-log4j2: CVE-2017-5645: socket receiver deserialization vulnerability

2017-04-17 Thread Salvatore Bonaccorso
Source: apache-log4j2 Version: 2.0~beta9-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-1863 Hi, the following vulnerability was published for apache-log4j2. CVE-2017-5645[0]: Apache Log4j socket receiver deserialization vulnerability If you

Bug#860566: batik: CVE-2017-5662: information disclosure vulnerability

2017-04-18 Thread Salvatore Bonaccorso
Source: batik Version: 1.5beta2-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for batik. CVE-2017-5662[0]: | In Apache Batik before 1.9, files lying on the filesystem of the | server which uses batik can be revealed to arbitrary users who send |

Bug#860567: fop: CVE-2017-5661: information disclosure vulnerability

2017-04-18 Thread Salvatore Bonaccorso
Source: fop Version: 1:1.0.dfsg-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for fop. CVE-2017-5661[0]: | In Apache FOP before 2.2, files lying on the filesystem of the server | which uses FOP can be revealed to arbitrary users who send maliciously

Bug#867712: lucene-solr: CVE-2017-3163

2017-07-08 Thread Salvatore Bonaccorso
Source: lucene-solr Version: 3.6.2+dfsg-5 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/SOLR-10031 Hi, the following vulnerability was published for lucene-solr. CVE-2017-3163[0]: No description was found (try on a search engine) If you fix the

Bug#870848: jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper

2017-08-05 Thread Salvatore Bonaccorso
Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-08-05 Thread Salvatore Bonaccorso
Source: openjfx Version: 8u131-b11-1 Severity: grave Tags: upstream security Hi, the following vulnerabilities were published for openjfx. CVE-2017-10086[0] and CVE-2017-10114[1]. Unfortunately it's no more details possilby know as shared via [2], which states that the supported versions

Bug#864447: tomcat8: CVE-2017-5664: Security constrained bypass in error page mechanism

2017-06-08 Thread Salvatore Bonaccorso
Source: tomcat8 Version: 8.5.14-1 Severity: important Tags: security patch upstream Control: found -1 8.0.14-1 Hi, the following vulnerability was published for tomcat8. CVE-2017-5664[0]: | The error page mechanism of the Java Servlet Specification requires | that, when an error occurs and an

Bug#864898: jetty9: timing channel in Password.java

2017-06-16 Thread Salvatore Bonaccorso
Source: jetty9 Version: 9.2.21-1 Severity: important Tags: patch upstream security Forwarded: https://github.com/eclipse/jetty.project/issues/1556 Hi Due to #864631 I realize you are already aware. Filling this bug for tracking purposes since there is no CVE id yet assiged. jetty has a timing

Bug#864859: jython: CVE-2016-4000: Unsafe deserialization leads to code execution

2017-06-16 Thread Salvatore Bonaccorso
Source: jython Version: 2.5.3-1 Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: http://bugs.jython.org/issue2454 Hi, the following vulnerability was published for jython. CVE-2016-4000[0]: Unsafe deserialization leads to code execution If you fix the

Bug#861521: libxstream-java: CVE-2017-7957

2017-04-30 Thread Salvatore Bonaccorso
Source: libxstream-java Version: 1.4.7-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2017-7957[0]: | XStream through 1.4.9, when a certain denyTypes workaround is not used, | mishandles attempts to create an instance of the

Bug#861786: activemq: adjust CVE identifier retrospectively in debian/changelog for 5.14.3-3 upload

2017-05-03 Thread Salvatore Bonaccorso
Source: activemq Version: 5.14.3-3 Severity: minor Hi activemq maintainers, The CVE id was typoed in the 5.14.3-3 upload. To avoid confusion can you consider adjusting the reference on any next upload of activemq? The correct CVE id was CVE-2015-7559. If you have in your team policy to not

Bug#873392: resteasy: CVE-2017-7561: Vary header not added by CORS filter leading to cache poisoning

2017-08-27 Thread Salvatore Bonaccorso
Source: resteasy Version: 3.1.0-2 Severity: important Tags: security upstream Forwarded: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 Hi, the following vulnerability was published for resteasy. CVE-2017-7561[0]: Vary header not added by CORS filter leading to cache poisoning

Bug#884241: bouncycastle: CVE-2017-13098

2017-12-12 Thread Salvatore Bonaccorso
Source: bouncycastle Version: 1.57-1 Severity: grave Tags: patch security upstream Hi, the following vulnerability was published for bouncycastle. CVE-2017-13098[0]: | Information leak by distinguish valid and invalid RSA PKCS #1 v1.5 | paddings based on different server responses. If you fix

Bug#879001: Bug#879002: Patch for CVE-2017-12197

2017-11-03 Thread Salvatore Bonaccorso
Control: forwarded -1 https://github.com/kohsuke/libpam4j/issues/18 Control: tags -1 + patch upstream Hi Raphael, Emmanuel and Markus, On Fri, Nov 03, 2017 at 09:19:56PM +0100, Markus Koschany wrote: > On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg wrote: > > Upstream has

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

2018-01-08 Thread Salvatore Bonaccorso
Hey! On Mon, Jan 08, 2018 at 06:03:48PM +0100, Markus Koschany wrote: > Hi, > > Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso: > [...] > > So the patched files exits, and similar code flow is present. > > > > I explicitly have not looked (yet)

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

2018-01-08 Thread Salvatore Bonaccorso
Hi Abhijith, hi Markus On Mon, Jan 08, 2018 at 04:01:17PM +0100, Markus Koschany wrote: > Am 08.01.2018 um 13:32 schrieb Abhijith PA: > > Hello. :) > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects > > all 5.x version. But Debian haven't shipped this version yet. And

Bug#825501: CVE-2016-4434

2018-01-18 Thread Salvatore Bonaccorso
Hi Faidon, On Fri, Jan 12, 2018 at 07:54:58PM +0100, Moritz Muehlenhoff wrote: > On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > >

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-24 Thread Salvatore Bonaccorso
Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 Control: found -1 2.8.6-1+deb9u2 Control: found -1 2.4.2-2+deb8u2 Hi, the following vulnerability was published for jackson-databind.

Bug#888318: jackson-databind: CVE-2017-17485

2018-01-24 Thread Salvatore Bonaccorso
On Wed, Jan 24, 2018 at 11:11:13PM +0100, Salvatore Bonaccorso wrote: > Source: jackson-databind > Version: 2.9.1-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855 > > Hi, > > the following vulnerabilit

Bug#888318: jackson-databind: CVE-2017-17485

2018-01-24 Thread Salvatore Bonaccorso
Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855 Hi, the following vulnerability was published for jackson-databind. CVE-2017-17485[0]: | FasterXML jackson-databind through 2.8.10 and 2.9.x

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-25 Thread Salvatore Bonaccorso
Hi Markus, On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: > Hi, > > On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: jackson-databind > > Version: 2.9.1-1 > > Severity: grave > > Tags: pa

Bug#888530: openjfx: CVE-2018-2581

2018-01-27 Thread Salvatore Bonaccorso
Source: openjfx Version: 8u151-b12-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for openjfx, apart the CVE description not much is available: CVE-2018-2581[0]: | Vulnerability in the Java SE component of Oracle Java SE | (subcomponent: JavaFX).

Bug#888651: libapache-poi-java: CVE-2017-12626: Denial of Service Vulnerabilities

2018-01-28 Thread Salvatore Bonaccorso
Source: libapache-poi-java Version: 3.10.1-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for libapache-poi-java, I was not able to verify each other of the upstream bugs, but according to [1] any version prior to 3.17 are affected.

Bug#890352: activemq: CVE-2017-15709: information leak

2018-02-13 Thread Salvatore Bonaccorso
Source: activemq Version: 5.14.3-3 Severity: important Tags: security upstream Hi, the following vulnerability was published for activemq, filling the bug based on the information available from [0] and [1]. CVE-2017-15709[0]: | When using the OpenWire protocol in ActiveMQ versions 5.14.0 to

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

2017-12-28 Thread Salvatore Bonaccorso
Source: libhibernate-validator-java Severity: important Tags: security Hi, the following vulnerability was published for libhibernate-validator-java. There is unfortunately not much information available, cf. [1]. CVE-2017-7536[0]: Privilege escalation when running under the security manager

Bug#885576: undertow: CVE-2017-7559: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

2017-12-28 Thread Salvatore Bonaccorso
Source: undertow Severity: important Tags: security Hi, the following vulnerability was published for undertow. There is not much information available if that incomplete fix affects us as well. Or which this was fixed upstream. I asked for clarification in [1], but might you contact directly

Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

2018-01-02 Thread Salvatore Bonaccorso
Control: found -1 4.3.3-1 Control: tags -1 + upstream fixed-upstream On Thu, Dec 28, 2017 at 10:30:55AM +0100, Salvatore Bonaccorso wrote: > Source: libhibernate-validator-java > Severity: important > Tags: security > > Hi, > > the following vulnerability was publish

Bug#891614: jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries

2018-02-26 Thread Salvatore Bonaccorso
Source: jackson-databind Version: 2.9.4-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/FasterXML/jackson-databind/issues/1931 Hi, the following vulnerability was published for jackson-databind. CVE-2018-7489[0]: | FasterXML

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-06 Thread Salvatore Bonaccorso
Hi Felix, On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 >

Bug#895114: libspring-java: CVE-2018-1270 CVE-2018-1272

2018-04-07 Thread Salvatore Bonaccorso
Source: libspring-java Version: 4.3.5-1 Severity: grave Tags: security upstream fixed-upstream Hi, The following vulnerabilities were published for libspring-java, filling only one bug this time since the common set of affected versions for the two is all 4.3 versions and older unsupported

Bug#895114: libspring-java: CVE-2018-1270 CVE-2018-1272

2018-04-10 Thread Salvatore Bonaccorso
On Sat, Apr 07, 2018 at 09:46:13AM +0200, Salvatore Bonaccorso wrote: > Source: libspring-java > Version: 4.3.5-1 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > The following vulnerabilities were published for libspring-java, > filling o

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-09 Thread Salvatore Bonaccorso
Hi Felix, Sorry for the delay in getting back to you. On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] >

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-03 Thread Salvatore Bonaccorso
Hi Felix, On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: > > > Am 01.04.2018 um 17:57 schrieb Felix Natter: > [...] > > Thanks, done. > > BTW: Is it ok to close the bug with the stretch-security upload even if > > the jessie-security upload is still pending? > > Yes, that's

Bug#893174: libcommons-compress-java: CVE-2018-1324: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes

2018-03-17 Thread Salvatore Bonaccorso
Source: libcommons-compress-java Version: 1.13-1 Severity: important Tags: patch security upstream Forwarded: https://issues.apache.org/jira/browse/COMPRESS-432 Hi, the following vulnerability was published for libcommons-compress-java. CVE-2018-1324[0]: | A specially crafted ZIP archive can be

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-21 Thread Salvatore Bonaccorso
Looking at the release-1.5.20 tag: Security fix related to scripts and formulas Security fix related to loading of mind map files Change short cuts for MacOS to avoid collisions The fix might be: https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001 Regards,

Bug#893684: libslf4j-java: CVE-2018-8088: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

2018-03-21 Thread Salvatore Bonaccorso
Source: libslf4j-java Version: 1.7.25-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://jira.qos.ch/browse/SLF4J-430 Control: found -1 1.7.7-1 Hi, the following vulnerability was published for libslf4j-java. CVE-2018-8088[0]: |

  1   2   >