Debian Bug report logs -
#864859
jython: CVE-2016-4000: Unsafe deserialization leads to code execution
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Jun 2017 07:12:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version jython/2.5.3-1
Fixed in versions jython/2.5.3-17, jython/2.5.3-3+deb8u1, jython/2.5.3-16+deb9u1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.jython.org/issue2454
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#864859; Package src:jython.
(Fri, 16 Jun 2017 07:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 16 Jun 2017 07:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jython
Version: 2.5.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: http://bugs.jython.org/issue2454
Hi,
the following vulnerability was published for jython.
CVE-2016-4000[0]:
Unsafe deserialization leads to code execution
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
[1] http://bugs.jython.org/issue2454
[2] https://hg.python.org/jython/rev/d06e29d100c0
Regards,
Salvatore
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Fri, 16 Jun 2017 21:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 16 Jun 2017 21:06:07 GMT) (full text, mbox, link).
Message #10 received at 864859-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.5.3-17
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Jun 2017 21:51:06 +0200
Source: jython
Binary: jython jython-doc
Architecture: source
Version: 2.5.3-17
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
jython - Python seamlessly integrated with Java
jython-doc - Jython documentation including API docs
Closes: 864859
Changes:
jython (2.5.3-17) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2016-4000: (Closes: #864859)
Unsafe deserialization may lead to arbitrary code execution.
Checksums-Sha1:
0cf2c3538ad581cbcd23633e13073f20ec8c8bb8 2533 jython_2.5.3-17.dsc
0155f6ced1fc7944cca5e0d153d6bd3bdc3c401c 21260 jython_2.5.3-17.debian.tar.xz
700257fceb071fb5e351388055cb6227a686f2bf 11813 jython_2.5.3-17_amd64.buildinfo
Checksums-Sha256:
ce6389f84fea63699099150500286cc4a507106cd65361fd683384ab26523cfc 2533 jython_2.5.3-17.dsc
8822a592ed061aa063b397c43f1ad2df60e49831aa4c19d7040b738f4caa7019 21260 jython_2.5.3-17.debian.tar.xz
15f9346a9ade5ab8d3663224ccbd6a8a2c249cd9934b219a4a883d79f11422c3 11813 jython_2.5.3-17_amd64.buildinfo
Files:
dd34311f711d2bcee3035123c9a3a172 2533 python optional jython_2.5.3-17.dsc
2b3a070f03aa7362c1330eacac64f483 21260 python optional jython_2.5.3-17.debian.tar.xz
868bd1ef9980ad6b1b5a88df3a700d2f 11813 python optional jython_2.5.3-17_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllEPLNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkBXcP/ihW+fFysmu1bvI/Q+K6rERhr7S6xjaP0AmD
udUVwfhgSQeLMpLZLajnjbSSkizY/RGZZj7UYP8c1unCMf9G9R8Si0VznELo2a2Y
EA7gxAL0FVtCDXFI6SFZ2E/+3nV8eG5ADrp/7sRnU0lvgSDopBxklT3PiNLmb8oY
Sk4igvrEVMIyDIZ015dVM16/QQRz9C2PUTxfEnS0prwFA+lwfLOk5c4G95Q3H0sX
0cBWSfYb2c7deQR3m5axOm9JKLQVG1GVB9qrZbHwrfujxZFNrC3lJY+bNgxLV87r
pL9iMExuMC1x9VytNgw/GrKvtJnbB7ZErkLBN12Rxt8ie5YpOBx0Stz+2SPThDSi
yANe9QVcTNyIhJZH+tll2N4YoGXRPzOcxJTpG7aWTp1jYvb3tX+B5JqucrTiui9M
crbq1H+XR06MYctOGuivMtLyEr2glimy30jBT6UvftvqD40KZJzTaD/hqvEURkVd
p+zp5VYNFYTFRxHBNXMNc8/SST/dUJCZDl7UQP8YygSeMfRR3RMO9gumOy5ckcaK
Bq+hz6VD+VH3ARzacpTF6F5ucnw9zmpHkcYzyEKRt5zmzuVuykQFhz+RRFhoKltT
6vsxjPqKiqEY55nlT8N6V5k9JGo2xRkIzKtb3wXsT1+QP5who2GvFSw5sj/XANHJ
RjvldEsZ
=sQu3
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#864859; Package src:jython.
(Wed, 21 Jun 2017 18:18:02 GMT) (full text, mbox, link).
Message #13 received at 864859@bugs.debian.org (full text, mbox, reply):
tag 864859 + pending
thanks
Some bugs in the jython package are closed in revision
fa94dba7f47bf6e245a0016e840e8f3b817000ca in branch ' jessie' by
Markus Koschany
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/jython.git/commit/?id=fa94dba
Commit message:
Import Debian changes 2.5.3-3+deb8u1
jython (2.5.3-3+deb8u1) jessie-security; urgency=high
* Team upload.
* Fix CVE-2016-4000: (Closes: #864859)
Unsafe deserialization may lead to arbitrary code execution.
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Wed, 21 Jun 2017 18:18:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#864859.
(Wed, 21 Jun 2017 18:18:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sat, 24 Jun 2017 21:21:33 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jun 2017 21:21:33 GMT) (full text, mbox, link).
Message #23 received at 864859-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.5.3-3+deb8u1
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jun 2017 20:00:46 +0200
Source: jython
Binary: jython jython-doc
Architecture: source all
Version: 2.5.3-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
jython - Python seamlessly integrated with Java
jython-doc - Jython documentation including API docs
Closes: 864859
Changes:
jython (2.5.3-3+deb8u1) jessie-security; urgency=high
.
* Team upload.
* Fix CVE-2016-4000: (Closes: #864859)
Unsafe deserialization may lead to arbitrary code execution.
Checksums-Sha1:
4005e55e8d99f71940f14f0c51dc8df2efc8d0dd 2446 jython_2.5.3-3+deb8u1.dsc
fb2329935da29375f6c58e80c361a22fef1ce694 5731140 jython_2.5.3.orig.tar.bz2
a6106611a19d6f324757fb976c41bc41337fade2 17596 jython_2.5.3-3+deb8u1.debian.tar.xz
18ce5190589356499a998adf875a8587a2414620 6907190 jython_2.5.3-3+deb8u1_all.deb
fa7c89c99e7b94b958c91bab5b09a50beafab9cc 562942 jython-doc_2.5.3-3+deb8u1_all.deb
Checksums-Sha256:
5191fd859007cd558a4b600918cd40440c5b5ae259ddf21ae21b65f58446e362 2446 jython_2.5.3-3+deb8u1.dsc
f65ba40098f9312ed487219e64c4ea01fecad927411b1a72dc1d8cadf0ddc947 5731140 jython_2.5.3.orig.tar.bz2
68c7122d199e3a519af4fc9f3b1c8e29dac6bd3273811aa4e77a6136f3ca46eb 17596 jython_2.5.3-3+deb8u1.debian.tar.xz
076576f62ae93a87023ad6747e4b64a51493cbd83c32e17198786f255643e1b0 6907190 jython_2.5.3-3+deb8u1_all.deb
67cae1441b8920d64b8fd367574fe158e77c9bc7b6d8978da97640cbcb6d77d0 562942 jython-doc_2.5.3-3+deb8u1_all.deb
Files:
49d2d2a7471f5885a28bc4b65b5651aa 2446 python optional jython_2.5.3-3+deb8u1.dsc
2e4210614f20aa3cbcef9031601679b7 5731140 python optional jython_2.5.3.orig.tar.bz2
73652c76868ae57b1c2dc6c5c6b916df 17596 python optional jython_2.5.3-3+deb8u1.debian.tar.xz
5fd2131a593cd812db4eb8b8e4708c8a 6907190 python optional jython_2.5.3-3+deb8u1_all.deb
39b58e3821690eeccb2fd7cc308265ed 562942 doc optional jython-doc_2.5.3-3+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllKtnRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk6iUP/jmih+vt+iwtlC3rlonw8flekw8++Ek3dpGL
Gq50Kpw7hFs4IRGCuV7cTXrgYXfmNtJ0ZxvlC5ILCV4qgxVCfZ7QVttsi6GnKsCg
QueDIaTmKikj+1qz5zke6B84mTVnVJCMQiP0jh4rB/KLl4UAB2DoILR4UTm5JmVb
4TcMq0unACkcvSxhmgIPpSw2azMGbVYon62h6ptmyZ6E19bLqVXDecGpo+DvKSdi
igXQp9sBusfwp4Dv8kPdnnQ4MIipTRc48yNI+eP5H4AaRBpmLoC36TFJjQ9+vCRa
28X9v6nv3So3Ilwgqx4Sl7FdE4vCePss9aemkMlq0GcZFyzn45u4S757ztGOgSl8
3bj5HVFIFGdHeyJ0jsOS1lyLg8C6FlaSDnGRoJd0NBJOSfsnVQgm0X0wevwiHp9C
8l1NvOG96TEKE2vi5Br25K732xs79JAIcLXoBlHCxvNwqqLoxEtV8Ue4o8Vjrnlo
BDkxa2gWlf7aZQ2a/TQ/JRVuLS8bbfp8d4jlQbPNrnyp8pVO1czT891oZav0hewD
lLc3Fcl4XOgKFEeuwo2dWXdrX0CadM6ZOU+kWgkm7u7C+9Vt6YPRrbrVEQptvW/l
AcxovcM0yZPXZVbXWRnJtIUEGVI8FD51LyfporNjx27v+Np5ghjcRJ4lyabT6VAg
NLFtc1qm
=cTNP
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 16 Jul 2017 18:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 16 Jul 2017 18:36:04 GMT) (full text, mbox, link).
Message #28 received at 864859-close@bugs.debian.org (full text, mbox, reply):
Source: jython
Source-Version: 2.5.3-16+deb9u1
We believe that the bug you reported is fixed in the latest version of
jython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jython package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jun 2017 20:15:51 +0200
Source: jython
Binary: jython jython-doc
Architecture: source all
Version: 2.5.3-16+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
jython - Python seamlessly integrated with Java
jython-doc - Jython documentation including API docs
Closes: 864859
Changes:
jython (2.5.3-16+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2016-4000: (Closes: #864859)
Unsafe deserialization may lead to arbitrary code execution.
Checksums-Sha1:
d37e31e4c6deb86d20948e4338342ec5b2c53bbb 2561 jython_2.5.3-16+deb9u1.dsc
fb2329935da29375f6c58e80c361a22fef1ce694 5731140 jython_2.5.3.orig.tar.bz2
e6020678c7c7f624accb715947fab9deb8d072de 21164 jython_2.5.3-16+deb9u1.debian.tar.xz
a73e4a7b9df653ff34340b8f43d83c0619ddcaed 563962 jython-doc_2.5.3-16+deb9u1_all.deb
63b4688d2dc37c681ce9fdc35c9b09698909b045 6883788 jython_2.5.3-16+deb9u1_all.deb
22a73fe4f4e2dfd7b72474b079e9d510c70dc00c 11883 jython_2.5.3-16+deb9u1_amd64.buildinfo
Checksums-Sha256:
5d022341bee24af370fdfa5170a5fa4f3520d9ee7f5338ff6258cbde62e0190d 2561 jython_2.5.3-16+deb9u1.dsc
f65ba40098f9312ed487219e64c4ea01fecad927411b1a72dc1d8cadf0ddc947 5731140 jython_2.5.3.orig.tar.bz2
c98216583f02bc15f15f8062375def51ffa0ab3eba9f093ce2ec82d764f30120 21164 jython_2.5.3-16+deb9u1.debian.tar.xz
5b70cc20633dea570d0dc5ce45a93b8eed5f45faaf81289aa083bb1d1de8da99 563962 jython-doc_2.5.3-16+deb9u1_all.deb
c0958f8f09671679a2aebc1f9bb1637d05592ba6a4f0021eac5bd14afbf6ba67 6883788 jython_2.5.3-16+deb9u1_all.deb
2526b35d26110ff9dd55c2c8a3e5a896d71653db538649bae20b0e2d84683a7b 11883 jython_2.5.3-16+deb9u1_amd64.buildinfo
Files:
0ae8081e0e09d3b6c10811d5d9b10bb0 2561 python optional jython_2.5.3-16+deb9u1.dsc
2e4210614f20aa3cbcef9031601679b7 5731140 python optional jython_2.5.3.orig.tar.bz2
be58bebf7d9f27a872486bb77056f8d6 21164 python optional jython_2.5.3-16+deb9u1.debian.tar.xz
32bd1ac7fc7edf2bc69010463053bf1f 563962 doc optional jython-doc_2.5.3-16+deb9u1_all.deb
7b2af3e0616e67f5434a45675400f8e9 6883788 python optional jython_2.5.3-16+deb9u1_all.deb
9ed01506863ba9804848696ed195f4f9 11883 python optional jython_2.5.3-16+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllKu1hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkr6AP/i0Fb4062DEPtE7bawo62Bbt8ipsSbu5HOJf
y64joSCpyzhqSkn7NZCa4AZvZ0DnltAiDzo9kMM5f6yjjTeyMwho/FF0QkxTSxMm
908wzIhwRobBNve6XwLTcF62ls8GRiIGOIL+QAYW1ejmKBrRTR6xKRc2UTIGtJoj
99hOyFsp08G1Tqo4T1EqymyEqKo6ibl0bCfolGW4lVMls+ttm1xJ1rvbLyWQVIpl
HYGRiceyD2weZtpA3Oac3JmpxUiNWXlhLAWJe2OXWLaCE5A1ztyOEzcpdW5Yh4dt
p1sEthw8cO64RnlYs+PwZ7XMU/25oVEphDtuKCqex3ikEIcAGBqpRiFVXnK8q7k2
SxCksMo2E0FV9k6gnkcuOIe6Y1E6ZFsjF98FLVdDn0UlIu57n4HUea857GNrf30Y
q45gYTrKeB02rYbA51Cg5418wR2QoBuK1Ezb2tDHR/GVe22MhYcQ1XZqQlhb1DNG
DQYPIkdmR+LcFMwxFLOwuD5qZoi9a2tj6ImJnb6BBfObnB8beA6GaIcDGHUKGstR
UQucmJJ1Xlne0y2CrnSKCD1CXrS/0xGfOrnV5q9bPVKtcsPFM5fb0dKDueKoDSAV
wgxXyAeO6fVKEIwmgjlN9xEZvre1Jx3WqCWWpPGoyne6T4ZwJdVcY9ycDsSmUw+e
03MtRN26
=0vI9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Sep 2017 07:28:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon