Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2016-3720

Related Vulnerabilities: CVE-2016-3720  

Source

Debian Bug report logs - #823703
CVE-2016-3720

version graph

Package: src:jackson-dataformat-xml; Maintainer for src:jackson-dataformat-xml is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 7 May 2016 21:27:02 UTC

Severity: grave

Tags: security

Found in version jackson-dataformat-xml/2.7.3-1

Fixed in version jackson-dataformat-xml/2.7.4-1

Done: Emmanuel Bourg <ebourg@apache.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#823703; Package src:jackson-dataformat-xml. (Sat, 07 May 2016 21:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 07 May 2016 21:27:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2016-3720
Date: Sat, 07 May 2016 23:24:05 +0200
Source: jackson-dataformat-xml
Severity: grave
Tags: security

jackson-dataformat-xml is susceptible to XXE attacks, this was
assigned CVE-2016-3720. Fix is here:
https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0

Cheers,
        Moritz

Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Sat, 07 May 2016 21:54:11 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 07 May 2016 21:54:11 GMT) (full text, mbox, link).

Message #10 received at 823703-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 823703-close@bugs.debian.org
Subject: Bug#823703: fixed in jackson-dataformat-xml 2.7.4-1
Date: Sat, 07 May 2016 21:52:01 +0000
Source: jackson-dataformat-xml
Source-Version: 2.7.4-1

We believe that the bug you reported is fixed in the latest version of
jackson-dataformat-xml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated jackson-dataformat-xml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 07 May 2016 23:38:14 +0200
Source: jackson-dataformat-xml
Binary: libjackson2-dataformat-xml-java libjackson2-dataformat-xml-java-doc
Architecture: source all
Version: 2.7.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libjackson2-dataformat-xml-java - fast and powerful JSON library for Java -- XML dataformat
 libjackson2-dataformat-xml-java-doc - Documentation for Jackson-dataformat-XML
Closes: 823703
Changes:
 jackson-dataformat-xml (2.7.4-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release
     - Fixes CVE-2016-3720: XXE vulnerability in XmlMapper (Closes: #823703)
Checksums-Sha1:
 80a5baa2f8e2fe0b4601869b977f35412a5841e5 2589 jackson-dataformat-xml_2.7.4-1.dsc
 eb7c33df978d3851d0beec885d0d93d637e9743b 77512 jackson-dataformat-xml_2.7.4.orig.tar.xz
 2319a3b5e21ef4dff9f9c33878076bef78fd362d 4300 jackson-dataformat-xml_2.7.4-1.debian.tar.xz
 b7693623bf186e12797fe2e9d463c13db783da6e 88738 libjackson2-dataformat-xml-java-doc_2.7.4-1_all.deb
 6feee9eb66c69d76b12a1db0fb546de9fb5eff22 90406 libjackson2-dataformat-xml-java_2.7.4-1_all.deb
Checksums-Sha256:
 4d4d19c6eb65a2930f8a6d526af6ef75bee7b26f216b8adc75269081af1e8514 2589 jackson-dataformat-xml_2.7.4-1.dsc
 93129a57eb13bcae5f07d778f26db61094c24155ae857fc6c6b12c1d04532ff6 77512 jackson-dataformat-xml_2.7.4.orig.tar.xz
 1cb3f996fa8d4c5d26284e1898feed2368a4098a0a5cbb542e4c0cb30a3c14d5 4300 jackson-dataformat-xml_2.7.4-1.debian.tar.xz
 f0272c9befd757b627eaae51a3f81f02ac7b2062c4d6016751d231d727d1ac32 88738 libjackson2-dataformat-xml-java-doc_2.7.4-1_all.deb
 241dafa71d8dbce6495f7f13ea364679ee38c7ba46ce1bdd4c9f728cc18befb5 90406 libjackson2-dataformat-xml-java_2.7.4-1_all.deb
Files:
 a080fbaeb78eef49e824bdd18d22b8b5 2589 java optional jackson-dataformat-xml_2.7.4-1.dsc
 68db98268a525dc8406bfd1541deca33 77512 java optional jackson-dataformat-xml_2.7.4.orig.tar.xz
 9c4a81c56bb7b098bff4335b41aff859 4300 java optional jackson-dataformat-xml_2.7.4-1.debian.tar.xz
 25b3df4a9161c76be47b081ca8277a21 88738 doc optional libjackson2-dataformat-xml-java-doc_2.7.4-1_all.deb
 17e00026bfe7a19d526b2de90a1b1ea1 90406 java optional libjackson2-dataformat-xml-java_2.7.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXLmDZAAoJEPUTxBnkudCs4rsP/iagEOfD+mf0if35h5UmYw1P
wOr0KgvAma3L8uifvi1qMtW5I/4kG579t/cKTsCbbTo9KZOaeCXdjCWCNNzCEA0c
H5lyi+nPyrotGd121Gje713b1UWJ6zTlylygfQ4b5awOyoz7kVyC4E6H1ItecTpZ
xP6QTGunAjkTY2/OOzK0uhn1/gPnbyeM2N7Vaw8MhNA26KuXh8PJC9rLsLYmtv75
9td176mB0+C1Two+dpuhAlIqve0uhD8FTUkZV8eIHoYNC3XniDCpkSKHcsKjEU7y
Klmt+nocMS33gE/DUh0iPuFT+re4bFqphFYhLkrr8IeHbPEtquTHrjA3isEaw/oz
n0+glOcN4yFXnsABLVk7NrL86lSGxNxXlBu0qPOqH6WDi+FlSzLhEhykNd+WeLRY
gV/S/OPlipiqQDY0EyTouT9lA3z7eQFDkZ90xH/u8lw3NHzZO1j7O68k8UBl7V7f
Yms80h5mCZBMaRkqqR9/Y0p9RUsvlHFACxo0XwawJpyn05wGb0xqc9A5ko9qM7Wp
MYiXFaZW0C7pnqtK/XUCrVMllC6oqOrabuH1LTfMc3V6L4cFSHSnHZFhwrDwKwNS
XGzj1jzbT1kt+q2hKfa8Q6mODp2uecn6pxyeMCG0K6ldrDgF+2mBp4/wiNHFOdbm
eQV8o82cAY+xmGOkGLwa
=01XI
-----END PGP SIGNATURE-----

Marked as found in versions jackson-dataformat-xml/2.7.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 08 May 2016 04:03:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Jun 2016 07:26:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:22:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started