Debian Bug report logs -
#1027149
jython: CVE-2019-16935
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 28 Dec 2022 17:39:01 UTC
Severity: normal
Tags: security, upstream
Fixed in version jython/2.7.2+repack1-5
Done: Gilles Filippini <pini@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1027149; Package src:jython.
(Wed, 28 Dec 2022 17:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 28 Dec 2022 17:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jython
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security
Hi,
This also affects Jython:
CVE-2019-16935[0]:
| The documentation XML-RPC server in Python through 2.7.16, 3.x through
| 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field.
| This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
| Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
| untrusted input, arbitrary JavaScript can be delivered to clients that
| visit the http URL for this server.
The fix in cpython was:
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16935
https://www.cve.org/CVERecord?id=CVE-2019-16935
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 19:45:05 GMT) (full text, mbox, link).
Reply sent
to Gilles Filippini <pini@debian.org>:
You have taken responsibility.
(Thu, 29 Dec 2022 11:51:02 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 29 Dec 2022 11:51:03 GMT) (full text, mbox, link).
Message #12 received at 1027149-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.7.2+repack1-5
Done: Gilles Filippini <pini@debian.org>
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1027149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gilles Filippini <pini@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Dec 2022 12:00:40 +0100
Source: jython
Architecture: source
Version: 2.7.2+repack1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Gilles Filippini <pini@debian.org>
Closes: 1027149
Changes:
jython (2.7.2+repack1-5) unstable; urgency=medium
.
* CVE-2019-16935 (closes: #1027149)
Checksums-Sha1:
a2052ddc344a4b4b73bd92ee6cf285321c66cf55 2205 jython_2.7.2+repack1-5.dsc
f0fa361a3637ecae6f4f3d4d0c778eb809b57e40 22148 jython_2.7.2+repack1-5.debian.tar.xz
a1a01eddad5b9649b5edeac50b542e12fec5731f 13952 jython_2.7.2+repack1-5_amd64.buildinfo
Checksums-Sha256:
541b5da6a86d256b0f8c93bf0d2306d68ab6b3b5a8fdf5c08afb4d0e3ebd5fa0 2205 jython_2.7.2+repack1-5.dsc
02504233fcb5493e59096b522202e5c1340a07543d5d9960ce320feaf348bae9 22148 jython_2.7.2+repack1-5.debian.tar.xz
f5125f396295b50011069645f6357a22cac0df5a03ce6ef06449d7148d77d86e 13952 jython_2.7.2+repack1-5_amd64.buildinfo
Files:
55c0de184bb8dfa8b47bb56adc21a330 2205 python optional jython_2.7.2+repack1-5.dsc
18fbfcd63c7c1dfef695355463544fbe 22148 python optional jython_2.7.2+repack1-5.debian.tar.xz
4de0f43befcb3cb603391740a582a580 13952 python optional jython_2.7.2+repack1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAmOtelwQHHBpbmlAZGVi
aWFuLm9yZwAKCRDv6Gxsf/7Pg6gjB/9yFxMYo8SwC0kuV3sxRYCM7oossnaSV2P7
S9sW42UaNKREV14WCjJHG0CX5a3siPgYebzsqIsytLaUZ7/1i4vnJwZrryByCQ8e
QJKObxeMN5EdDXCtDUE56doZ2mPOQ2XJrdR/bOjGMHfA4J9aKg1+3TutZXC2/cYs
04xHq3jRVkGPrtPtSk60cMvbNLcBb3sDVnnEo8BRgSER2RnOoqdPylvwLwO4rTWY
/iYGE758nkM0z9+APhZBWDRHqzs17lpAsRu/7IOntKM+xj4uUgP3F8B4FgbOqzHZ
ZL/ejodvvcCbjoAY2HeZdP/eBQ6bpbXc9FIEWuIQaBJtNSe3bPcE
=VMo6
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 29 16:36:33 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon