Debian Bug report logs -
#779621
jakarta-taglibs-standard: CVE-2015-0254
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#779621; Package jakarta-taglibs-standard.
(Tue, 03 Mar 2015 07:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 03 Mar 2015 07:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: jakarta-taglibs-standard
Severity: important
Tags: security
Please see
http://www.securityfocus.com/archive/1/534772
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Fri, 13 Mar 2015 10:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#779621; Package jakarta-taglibs-standard.
(Sat, 14 Mar 2015 17:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <nomadium@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 14 Mar 2015 17:03:04 GMT) (full text, mbox, link).
Message #12 received at 779621@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
owner 779621 !
thanks
On Tue, Mar 03, 2015 at 07:57:36AM +0100, Moritz Muehlenhoff wrote:
> Package: jakarta-taglibs-standard
> Severity: important
> Tags: security
>
> Please see
> http://www.securityfocus.com/archive/1/534772
>
> Cheers,
> Moritz
>
>
Hi,
I can try to backport the fix introduced in jakarta taglibs 2.1.3.
However, I can't make promises that the result is even applicable to
the outdated version we have in the archive (1.1.2).
It looks like the diff is going to be really big for this late stage in
the release cycle. I mean, the full diff between 2.1.1 and 2.1.3 has almost
7000 lines. Even if I carefully manage to successfully backport only the
fix, the diff is going to be big.
Upstream implemented the fix in a new class org.apache.taglibs.standard.util.XmlUtil
with 389 LoC...
I'll try to come up with something or report if I failed at that.
Cheers,
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Owner recorded as Miguel Landaeta <nomadium@debian.org>.
Request was from Miguel Landaeta <nomadium@debian.org>
to control@bugs.debian.org.
(Sat, 14 Mar 2015 17:03:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#779621; Package jakarta-taglibs-standard.
(Sat, 14 Mar 2015 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <nomadium@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 14 Mar 2015 17:09:04 GMT) (full text, mbox, link).
Message #19 received at 779621@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Mar 14, 2015 at 02:03:52PM -0300, Miguel Landaeta wrote:
>
> the release cycle. I mean, the full diff between 2.1.1 and 2.1.3 has almost
Sorry, I got it wrong. The new upstream releases are 1.2.1 and 1.2.3.
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Miguel Landaeta <nomadium@debian.org>:
Bug#779621; Package jakarta-taglibs-standard.
(Sat, 14 Mar 2015 17:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Miguel Landaeta <nomadium@debian.org>.
(Sat, 14 Mar 2015 17:24:04 GMT) (full text, mbox, link).
Message #24 received at 779621@bugs.debian.org (full text, mbox, reply):
Thank you for taking care of this Miguel. Upstream told me that the
commits r1642442 [1] and r1642613 [2] contained the relevant fixes for
this issue. I haven't checked if they can be easily backported though.
Emmanuel Bourg
[1] http://svn.apache.org/r1642442
[2] http://svn.apache.org/r1642613
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#779621; Package jakarta-taglibs-standard.
(Sat, 14 Mar 2015 17:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <nomadium@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 14 Mar 2015 17:45:04 GMT) (full text, mbox, link).
Message #29 received at 779621@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Mar 14, 2015 at 06:21:37PM +0100, Emmanuel Bourg wrote:
> Thank you for taking care of this Miguel. Upstream told me that the
> commits r1642442 [1] and r1642613 [2] contained the relevant fixes for
> this issue. I haven't checked if they can be easily backported though.
>
> Emmanuel Bourg
>
> [1] http://svn.apache.org/r1642442
> [2] http://svn.apache.org/r1642613
Excellent Emmanuel, thanks for contacting upstream about this.
That should ease the backporting significantly.
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Miguel Landaeta <nomadium@debian.org>:
You have taken responsibility.
(Sun, 15 Mar 2015 12:36:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 15 Mar 2015 12:36:09 GMT) (full text, mbox, link).
Message #34 received at 779621-close@bugs.debian.org (full text, mbox, reply):
Source: jakarta-taglibs-standard
Source-Version: 1.1.2-3
We believe that the bug you reported is fixed in the latest version of
jakarta-taglibs-standard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779621@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel Landaeta <nomadium@debian.org> (supplier of updated jakarta-taglibs-standard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 14 Mar 2015 22:46:07 -0300
Source: jakarta-taglibs-standard
Binary: libjakarta-taglibs-standard-java libjstl1.1-java
Architecture: source all
Version: 1.1.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <nomadium@debian.org>
Description:
libjakarta-taglibs-standard-java - Implementation of JSP Standard Tag Library (JSTL)
libjstl1.1-java - JSP Standard Tag Library API v1.1 Reference Implementation
Closes: 779621
Changes:
jakarta-taglibs-standard (1.1.2-3) unstable; urgency=high
.
* Team upload.
* Fix CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags:
- Introduce new patch: d/patches/CVE-2015-0254.patch.
- Adjust source and target JVM parameters to 1.5.
(Closes: #779621).
Checksums-Sha1:
4f0817e13dd9404e87def778fd7b9ea60a826e3d 2333 jakarta-taglibs-standard_1.1.2-3.dsc
41aedb198a8501f0548193d5b515107541313035 17004 jakarta-taglibs-standard_1.1.2-3.debian.tar.xz
4e7d62ae63ac287e4de11136e4554537da72d363 271626 libjakarta-taglibs-standard-java_1.1.2-3_all.deb
893c6aa86966a9c9cff5b371bbf212600357c2ba 17508 libjstl1.1-java_1.1.2-3_all.deb
Checksums-Sha256:
620ed003b22b611bde467ac4db1c0d12b0f2a0cf8fddb63b4210a679a549e831 2333 jakarta-taglibs-standard_1.1.2-3.dsc
62c8fbe18ddaeefde400a7ecb083ca2448a5a9358f86f9dc3cd03a3f625ad6cd 17004 jakarta-taglibs-standard_1.1.2-3.debian.tar.xz
dae4170286ba9d0c19b3c5b27ff7e38702ab5c63644cbd2bfec0329bba0fa391 271626 libjakarta-taglibs-standard-java_1.1.2-3_all.deb
8374bf0251b5d5b5ceea02e196bdd1012c86c0cc29459e361360f305cb24737a 17508 libjstl1.1-java_1.1.2-3_all.deb
Files:
829175342e399870c7bc458bfa68ef06 2333 java optional jakarta-taglibs-standard_1.1.2-3.dsc
563b1a8b7cf5773a1972ad05832037f6 17004 java optional jakarta-taglibs-standard_1.1.2-3.debian.tar.xz
3f06a9b3a015075d933064236a438f6c 271626 java optional libjakarta-taglibs-standard-java_1.1.2-3_all.deb
b039585156f95efc7ac7eada54157955 17508 java optional libjstl1.1-java_1.1.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJVBO3nAAoJEGIODQuJV82l81sQAIF1eK4BoB1o47zzAt4cIDiP
qMwokgor+kUdEOZ57Wfe7kvfKcnEB2awcUcItASb860sItSaf/WEvBd8qZ9rDVw/
kEYfvvnbfNELzzPqfG4PCKokF2X3XX6FinZOZgB9rhPM953KONwxT151l7rJmI94
j2OoRU0YTqZNjuFjR93/et/kaATeSnQUVhw/GdGs2vV5Duf5zRPD6KqhA3y3r4+i
PVNlZ+sJVUqxBDb8HHCrl0fjP/YyqPeXShKeItfy28ZhEthpDvbNpIt1p7NA8pRx
QAGvCKk4rSao+5I02ZiyVD+A69l5GbUx2D51mPAgFqWdqRkUR5DfRrrKMqVnmD8L
jrVRr6cdO1/8nMhWAUFAQtdE5FLVI3/N4IX/4WLo2QYbWvr1kEGwhUn/Pn2DxjGf
oxEoDFeWj0fMU7JCbGVUsDd4uFAMLFvMB9CN1mwEO22cDpWpq+gMUL2j9D4V3Fgr
d/BQqheo8hx6TSOiLugslmFZTOvFszERe2OzxhupICxEv8XN6KmoxoQkLJGCSEsZ
AoNhPQrzT7QkFFD3HsLkZIeEDPuZt63N58lHMLf4cOODCJsoddzpFwmfepXwvtFt
ea4gyr0Mn8+6z+SfvvunQeTWdd9lyjslus8oRkPIoz4dYE4fLnv8d9HFaz6Tjixc
Tq8YS7EjpN1uK5hhIUNb
=rEKC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:38:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:42:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon