Debian Bug report logs -
#611130
CVE-2010-2087
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 25 Jan 2011 20:45:02 UTC
Severity: important
Tags: moreinfo, security, squeeze-ignore, wontfix
Done: Henri Salo <henri@nerv.fi>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Tue, 25 Jan 2011 20:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 25 Jan 2011 20:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mojarra
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087
Please get in touch with upstream, whether this has been addressed.
Cheers,
Moritz
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Wed, 26 Jan 2011 00:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Jan 2011 00:18:03 GMT) (full text, mbox, link).
Message #10 received at 611130@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 611130 squeeze-can-defer
tag 611130 squeeze-ignore
kthxbye
On Tue, Jan 25, 2011 at 21:43:36 +0100, Moritz Muehlenhoff wrote:
> Package: mojarra
> Severity: grave
> Tags: security
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087
>
> Please get in touch with upstream, whether this has been addressed.
>
Not a blocker, can be fixed post release.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Added tag(s) squeeze-ignore.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Jan 2011 00:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Thu, 27 Jan 2011 14:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 27 Jan 2011 14:27:03 GMT) (full text, mbox, link).
Message #17 received at 611130@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087
> Please get in touch with upstream, whether this has been addressed.
I just notified upstream to take a look at this
and I'm waiting for their reply.
Cheers,
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Mon, 25 Jul 2011 12:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 25 Jul 2011 12:06:04 GMT) (full text, mbox, link).
Message #22 received at 611130@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 27, 2011 at 09:53:10AM -0430, Miguel Landaeta wrote:
> On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087
> > Please get in touch with upstream, whether this has been addressed.
>
> I just notified upstream to take a look at this
> and I'm waiting for their reply.
What's the result?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Wed, 24 Aug 2011 00:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 24 Aug 2011 00:45:03 GMT) (full text, mbox, link).
Message #27 received at 611130@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote:
> What's the result?
>
Upstream is totally unresponsive about this issue.
I have reviewed changelog of subsequent releases and this doesn't
seem to be fixed.
I have lost almost all motivation to try to fix this, but I'll
give another try to check again with upstream to see what they
have to say.
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Wed, 24 Aug 2011 16:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 24 Aug 2011 16:36:09 GMT) (full text, mbox, link).
Message #32 received at 611130@bugs.debian.org (full text, mbox, reply):
On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote:
> On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote:
> > What's the result?
> >
>
> Upstream is totally unresponsive about this issue.
>
> I have reviewed changelog of subsequent releases and this doesn't
> seem to be fixed.
>
> I have lost almost all motivation to try to fix this, but I'll
> give another try to check again with upstream to see what they
> have to say.
This reminded me of http://pwnies.com/archive/2010/winners/:
--------------
Pwnie for Best Server-Side Bug
(..)
Credit: Meder Kydyraliev
(..)
Meder gets bonus points for having to track down developers on IRC
to get the vulnerability fixed after receiving no response from
security@struts.apache.org.
--------------
Maybe you should try IRC as well...
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Sun, 02 Oct 2011 22:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 02 Oct 2011 22:27:03 GMT) (full text, mbox, link).
Message #37 received at 611130@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
#tag 611130 + idontgiveadamn
tag 611130 + moreinfo
kthxbye
Upstream doesn't answer any request about this bug.
I sent emails, I posted in their discussion forum and even joined their
irc channel to ask a couple of question about this bug. I didn't receive
any answer, I can say I was completely ignored.
There is no info at Mitre website and AFAIK this issue is not fixed in
any other free software distribution.
I don't have time neither interest on this, good luck to anybody
interested in fixing this bug. Be aware of uncooperative upstream.
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Added tag(s) moreinfo.
Request was from Miguel Landaeta <miguel@miguel.cc>
to control@bugs.debian.org
.
(Sun, 02 Oct 2011 22:27:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Sun, 13 May 2012 16:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 13 May 2012 16:57:02 GMT) (full text, mbox, link).
Message #44 received at 611130@bugs.debian.org (full text, mbox, reply):
On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
>#tag 611130 + idontgiveadamn
>tag 611130 + moreinfo
>kthxbye
>
>Upstream doesn't answer any request about this bug.
>
>I sent emails, I posted in their discussion forum and even joined their
>irc channel to ask a couple of question about this bug. I didn't receive
>any answer, I can say I was completely ignored.
>
>There is no info at Mitre website and AFAIK this issue is not fixed in
>any other free software distribution.
>
>I don't have time neither interest on this, good luck to anybody
>interested in fixing this bug. Be aware of uncooperative upstream.
Given this, this package looks like a prime candidate for removal from
the archive to be honest. Thoughts?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Who needs computer imagery when you've got Brian Blessed?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Sun, 13 May 2012 19:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 13 May 2012 19:27:03 GMT) (full text, mbox, link).
Message #49 received at 611130@bugs.debian.org (full text, mbox, reply):
On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote:
> On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
> >#tag 611130 + idontgiveadamn
> >tag 611130 + moreinfo
> >kthxbye
> >
> >Upstream doesn't answer any request about this bug.
> >
> >I sent emails, I posted in their discussion forum and even joined their
> >irc channel to ask a couple of question about this bug. I didn't receive
> >any answer, I can say I was completely ignored.
> >
> >There is no info at Mitre website and AFAIK this issue is not fixed in
> >any other free software distribution.
> >
> >I don't have time neither interest on this, good luck to anybody
> >interested in fixing this bug. Be aware of uncooperative upstream.
>
> Given this, this package looks like a prime candidate for removal from
> the archive to be honest. Thoughts?
I concur, but libspring build-depends on it, something which needs to
be addressed somehow.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Mon, 14 May 2012 14:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve McIntyre <steve@einval.com>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 14 May 2012 14:33:03 GMT) (full text, mbox, link).
Message #54 received at 611130@bugs.debian.org (full text, mbox, reply):
On Sun, May 13, 2012 at 09:23:45PM +0200, Moritz Mühlenhoff wrote:
>On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote:
>> On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
>> >#tag 611130 + idontgiveadamn
>> >tag 611130 + moreinfo
>> >kthxbye
>> >
>> >Upstream doesn't answer any request about this bug.
>> >
>> >I sent emails, I posted in their discussion forum and even joined their
>> >irc channel to ask a couple of question about this bug. I didn't receive
>> >any answer, I can say I was completely ignored.
>> >
>> >There is no info at Mitre website and AFAIK this issue is not fixed in
>> >any other free software distribution.
>> >
>> >I don't have time neither interest on this, good luck to anybody
>> >interested in fixing this bug. Be aware of uncooperative upstream.
>>
>> Given this, this package looks like a prime candidate for removal from
>> the archive to be honest. Thoughts?
>
>I concur, but libspring build-depends on it, something which needs to
>be addressed somehow.
Ick. :-(
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#611130
; Package mojarra
.
(Sun, 17 Jun 2012 16:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <miguel@miguel.cc>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 17 Jun 2012 16:15:03 GMT) (full text, mbox, link).
Message #59 received at 611130@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 611130 + wontfix
severity 611130 important
thanks
Hi,
I was checking again what is the status of this bug and I found a statement
in RedHat bugtracker posted by David Jorm:
Statement:
This flaw affects applications using unencrypted client-side view states on Mojarra as shipped with JBoss Communications Platform 1.2.11 and 5.1.1, JBoss Enterprise Application Platform 4.2.0, 4.3.0 and 5.1.1, JBoss Enterprise BRMS Platform 5.1.0, JBoss Enterprise Portal Platform 4.3 and 5.1.1, JBoss Enterprise SOA Platform 4.2.0, 4.3.0 and 5.1.0, JBoss Enterprise Web Platform 5.1.1 and JBoss Web Framework Kit 1.1.0 and 1.2.0. Unencrypted client-side view states are fundamentally insecure and should not be used. Developers are advised to always enable encryption when creating JavaServer Faces (JSF) applications using client-side view state. When using the Mojarra implementation of JSF, this is achieved by adding the following snippet to the application's web.xml:
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<env-entry>
<env-entry-name>ClientStateSavingPassword</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
</env-entry>
So, IMO this looks like it is not going to be fixed anytime soon if ever.
Cheers,
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Added tag(s) wontfix.
Request was from Miguel Landaeta <miguel@miguel.cc>
to control@bugs.debian.org
.
(Sun, 17 Jun 2012 16:15:10 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Miguel Landaeta <miguel@miguel.cc>
to control@bugs.debian.org
.
(Sun, 17 Jun 2012 16:15:10 GMT) (full text, mbox, link).
Reply sent
to Henri Salo <henri@nerv.fi>
:
You have taken responsibility.
(Mon, 31 Mar 2014 13:33:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Mon, 31 Mar 2014 13:33:15 GMT) (full text, mbox, link).
Message #68 received at 611130-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Closing as wontfix. In case you reopen this bug please add more details about
the issue. More information is needed. Also from security tracker "Affected
feature is fundamentally insecure"
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 29 Apr 2014 07:29:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:37:46 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.