Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libxstream-java: CVE-2016-3674: XXE vulnerability

Related Vulnerabilities: CVE-2016-3674  

Source

Debian Bug report logs - #819455
libxstream-java: CVE-2016-3674: XXE vulnerability

version graph

Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 28 Mar 2016 18:48:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version libxstream-java/1.4.2-1

Fixed in version libxstream-java/1.4.9-1

Done: Emmanuel Bourg <ebourg@apache.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/x-stream/xstream/issues/25

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#819455; Package src:libxstream-java. (Mon, 28 Mar 2016 18:48:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 28 Mar 2016 18:48:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxstream-java: CVE-2016-3674: XXE vulnerability
Date: Mon, 28 Mar 2016 20:45:08 +0200
Source: libxstream-java
Version: 1.4.2-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/x-stream/xstream/issues/25

Hi,

the following vulnerability was published for libxstream-java.

CVE-2016-3674[0]:
XXE vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3674
[1] https://github.com/x-stream/xstream/issues/25

Regards,
Salvatore

Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Tue, 29 Mar 2016 11:21:20 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 29 Mar 2016 11:21:21 GMT) (full text, mbox, link).

Message #10 received at 819455-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 819455-close@bugs.debian.org
Subject: Bug#819455: fixed in libxstream-java 1.4.9-1
Date: Tue, 29 Mar 2016 11:19:23 +0000
Source: libxstream-java
Source-Version: 1.4.9-1

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 819455@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 Mar 2016 12:05:49 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libxstream-java - Java library to serialize objects to XML and back again
Closes: 819455
Changes:
 libxstream-java (1.4.9-1) unstable; urgency=medium
 .
   * New upstream release
     - Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
     - Ignore the new xstream-jmh module
     - Updated the Maven rules
   * No longer build the xstream-benchmark module (never used in Debian)
   * Build with maven-debian-helper
   * Depend on libcglib-nodep-java instead of libcglib3-java
   * Standards-Version updated to 3.9.7 (no changes)
   * Use secure Vcs-* fields
   * Updated the old references to codehaus.org
Checksums-Sha1:
 4cf4ec64900223bfa333836874027744232d8547 2392 libxstream-java_1.4.9-1.dsc
 0495145c1d88722ee4331265a30ce93d5dab6bda 419660 libxstream-java_1.4.9.orig.tar.xz
 1dbdca9aeee30d1d5f6e143103a9381cfc5c562d 6232 libxstream-java_1.4.9-1.debian.tar.xz
 9afd8dacf870f8b4db79264868900bb91f95c5da 499872 libxstream-java_1.4.9-1_all.deb
Checksums-Sha256:
 3967f17b4675a4fce56e09a1620e27961652a023634875322bb3ebe9c1929702 2392 libxstream-java_1.4.9-1.dsc
 f97c2c723e03892859c69242397815a00b10ae1da0ca78d6c9b1f51397752c66 419660 libxstream-java_1.4.9.orig.tar.xz
 7db86593bc736a00d87ee936af11e925c1ccbd37fb0dd63457dbf0407972b376 6232 libxstream-java_1.4.9-1.debian.tar.xz
 94f28584d0e3fef8cf6fa81d29bce93107007787ff183713eb03a6025c068c27 499872 libxstream-java_1.4.9-1_all.deb
Files:
 b2652b2d00e8de2f643097f1cc2be922 2392 java optional libxstream-java_1.4.9-1.dsc
 259d2a02e54c3b6deb41fe2861f74d87 419660 java optional libxstream-java_1.4.9.orig.tar.xz
 8e8386e823bf938d034334275c18144a 6232 java optional libxstream-java_1.4.9-1.debian.tar.xz
 442e2b05d0c401f70c0f2032676da156 499872 java optional libxstream-java_1.4.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW+l73AAoJEPUTxBnkudCsCVUP/03hGK1opaaLdbhgrMK41rFx
O+HJk792poaRyXiOk8EQ1kM4YOeOacseLOq/YBEfCOAys2uSH6gi3GYydfINV7wM
BOkBXGDUjas2PREl1nEXbORV+NQqsK9CfBvBa3TRcDosTiZ7EGP7HRTigYSJ/a2s
2onFr+b2g+7YhEU97Sn7sj1zLh5XOD7FdNenHSbQUlS/++FSmqCfIezdbzyPinsS
RkP4oXtiglt6sTdj+vvvIiG3TfyoDhMn/QXu56WAfunOdG8JKSS5kk/YKh4jnG1c
8OxmwSZgrSJz4nqSiz81jA/lT43P1kx3CnKlAqmVjh9p4BCi3W81giOs21lH1D2s
7/SFniF+nSc/H/wqwhSKE6dEMiHMFxEAHe4juI3LVBmHRkdW49FboHDCWvYw0Vxu
aqMVl2ehT6hamv4rTdCToLhgKtummrberPCqrmmfRLq0jT7ZLUHEcay9stqA7ckY
gFQSoVCyRLnEDi/Mpdayj8Nxri4MpLeBDy7slCEjLfdWZBVSplpjRlXZbRiz4ec9
exEndrZCI4vwLkQcM1BIEDmqp4VabtIYc8sX7n1tg6NwVh592ftDtwjypLXSm+KV
iTmrfcgmBJ1NQ4A9hVS2Wo3E8+3JvhWfHotwGcPOhQ4L1Fz5W+TrItx2Q8QoHDGn
lNuuu13EmnnlwZWUBAW/
=QWIL
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 May 2016 07:36:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:18:58 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started