Debian Bug report logs -
#851430
resteasy: CVE-2016-9606
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 14 Jan 2017 21:42:02 UTC
Severity: important
Tags: security
Fixed in version resteasy/3.1.4-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#851430; Package src:resteasy.
(Sat, 14 Jan 2017 21:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 14 Jan 2017 21:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: resteasy
Severity: important
Tags: security
There's not a great of information on this one other then this Red Hat bugtracker entry:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9571
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#851430; Package src:resteasy.
(Tue, 28 Mar 2017 17:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 28 Mar 2017 17:33:02 GMT) (full text, mbox, link).
Message #10 received at 851430@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 resteasy: CVE-2016-9606
Just a heads up: apparently the CVE was double-assigned, the correct
CVE turns out to be CVE-2016-9606. Cf.
https://bugzilla.redhat.com/show_bug.cgi?id=1400644#c17
Regards,
Salvatore
Changed Bug title to 'resteasy: CVE-2016-9606' from 'CVE-2016-9571'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 851430-submit@bugs.debian.org.
(Tue, 28 Mar 2017 17:33:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#851430; Package src:resteasy.
(Tue, 21 Nov 2017 20:36:07 GMT) (full text, mbox, link).
Message #15 received at 851430@bugs.debian.org (full text, mbox, reply):
tag 851430 + pending
thanks
Some bugs in the resteasy package are closed in revision
27787fde3bc3d80b60e753341229b94492a5c25a in branch 'master' by
Emmanuel Bourg
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/resteasy.git/commit/?id=27787fd
Commit message:
Marked CVE-2016-9606 as fixed (Closes: #851430)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Tue, 21 Nov 2017 20:36:08 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#851430.
(Tue, 21 Nov 2017 20:36:10 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 21 Nov 2017 21:12:24 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 21 Nov 2017 21:12:24 GMT) (full text, mbox, link).
Message #25 received at 851430-close@bugs.debian.org (full text, mbox, reply):
Source: resteasy
Source-Version: 3.1.4-1
We believe that the bug you reported is fixed in the latest version of
resteasy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated resteasy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Nov 2017 21:28:12 +0100
Source: resteasy
Binary: libresteasy-java
Architecture: source
Version: 3.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libresteasy-java - RESTEasy -- Framework for RESTful Web services and Java applicati
Closes: 851430
Changes:
resteasy (3.1.4-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Ignore the new security-legacy module
- Fixes CVE-2016-9606: Yaml unmarshalling vulnerable to remote code
execution (Closes: #851430)
* Removed the dependency on glassfish-javaee
* Standards-Version updated to 4.1.1
Checksums-Sha1:
1b8b34f2a4c6ae2d9917441413b7430711a3a8cb 2332 resteasy_3.1.4-1.dsc
d3add6a32605d2eeed7133c3ff9889fb70c77ce3 5206668 resteasy_3.1.4.orig.tar.xz
3d89a7ed60a467698df1922c1794b29f1268e46c 5864 resteasy_3.1.4-1.debian.tar.xz
47ab7e96a92b990937f78576f561254dba5af2dc 14485 resteasy_3.1.4-1_source.buildinfo
Checksums-Sha256:
59d2c9597f349c56be147b93c8c22a176c16cc890cd64841fd70f4fc35a37afc 2332 resteasy_3.1.4-1.dsc
189699de94d9243f4a616524b8746fc0dbc7c4e7de34b7c84ee07485a73903d3 5206668 resteasy_3.1.4.orig.tar.xz
ba0a10f22151408cf8b80e06756e497e4b172bdadebe037c72c64e4cd19a148a 5864 resteasy_3.1.4-1.debian.tar.xz
04e78bba1a80fb9298232ab4e1d7f45bd0fe78fbcd82c2d7771fd7d59bdce013 14485 resteasy_3.1.4-1_source.buildinfo
Files:
3e899a658cc9ce9f2b00206f07de63f8 2332 java optional resteasy_3.1.4-1.dsc
6bb31693db64a7f120a5d4d62d356888 5206668 java optional resteasy_3.1.4.orig.tar.xz
d228703c64ef2193b57c60f36db61985 5864 java optional resteasy_3.1.4-1.debian.tar.xz
0a546b524bbb047c266b2d8b9d5afae3 14485 java optional resteasy_3.1.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAloUjacSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsLIQP+gProBcQ/dDre5LePCXxKcZK6o6O5TkL
oxNSdaYs5FsBNH7qk8cZ+LIoo9fhjVl/Qy/TZ1lVLwzTD0xprKez00xyka4w0ee5
tkbCEj9FbzWvHZ4dsyQD+8dFDCzvHJLhE+wxwwvd/IMBvLQK8wCInf656uUyMtoA
+55DpGG0qFxQTzyT/Swnb+tTRunzc/EZGKQkT16z3fta/yC3xhXe/bE7/U/dKyQO
Fi79PsEP9ugDBnW4Z0KSW6T/HKNDIWrMHAN27K2qwwl2sNYuX11BmadBVVF8OvE5
eKcgCA8saB7IbhRo+VJUU15vf/T9yFAf9cudJr1LcOHTf/HTrwQU6g991NEzTAFF
XXfOSkOl2tjVcaUIYO5MSQJ8+qv60DikH5dRgUkuyX2gholl8iX/DPtQ+NuKXCFm
TKUkSywP/RpplF+GaEQhL1q6x+nov4MAaBr5kMA3116Mlblsp7hSxGzMqySceV4s
j00+HN6lRQf+SAOSsXbj7eJNJwJIcw7wIGq+ZYKZdvb6CBIZ0ULWOYSsnXmLXyPi
nuNKAaS7j0XrImN1aouJhSCzq6esPQ0pE14XAbDdRgNyxZTBmU96vXhoJEYfL6YQ
eDa9Dm8esLiLMf2AoxtnqSlG5CS6jCcZ0Fk5lTef4X1iNy+TwhO/0Wri5zXksbla
BJ9SDyxEQX3+
=xA9Z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Dec 2017 07:26:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon