Debian Bug report logs -
#861521
libxstream-java: CVE-2017-7957
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Apr 2017 06:00:02 UTC
Severity: grave
Tags: security, upstream
Found in version libxstream-java/1.4.7-2
Fixed in versions libxstream-java/1.4.9-2, libxstream-java/1.4.7-2+deb8u2
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#861521; Package src:libxstream-java.
(Sun, 30 Apr 2017 06:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 30 Apr 2017 06:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxstream-java
Version: 1.4.7-2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libxstream-java.
CVE-2017-7957[0]:
| XStream through 1.4.9, when a certain denyTypes workaround is not used,
| mishandles attempts to create an instance of the primitive type 'void'
| during unmarshalling, leading to a remote application crash, as
| demonstrated by an xstream.fromXML("<void/>") call.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
[1] https://x-stream.github.io/CVE-2017-7957.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#861521; Package src:libxstream-java.
(Sun, 30 Apr 2017 14:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 30 Apr 2017 14:24:05 GMT) (full text, mbox, link).
Message #10 received at 861521@bugs.debian.org (full text, mbox, reply):
Thank you Salvatore. Here is the upstream commit that has to be backported:
https://github.com/x-stream/xstream/commit/b3570be
Emmanuel Bourg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#861521; Package src:libxstream-java.
(Tue, 02 May 2017 15:03:04 GMT) (full text, mbox, link).
Message #13 received at 861521@bugs.debian.org (full text, mbox, reply):
tag 861521 + pending
thanks
Some bugs in the libxstream-java package are closed in revision
383b39c87f569c3257085babea4a10bad376e5db in branch 'master' by
Emmanuel Bourg
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/libxstream-java.git/commit/?id=383b39c
Commit message:
Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Tue, 02 May 2017 15:03:11 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#861521.
(Tue, 02 May 2017 15:03:14 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 02 May 2017 15:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 02 May 2017 15:39:09 GMT) (full text, mbox, link).
Message #23 received at 861521-close@bugs.debian.org (full text, mbox, reply):
Source: libxstream-java
Source-Version: 1.4.9-2
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 02 May 2017 16:52:35 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source
Version: 1.4.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Closes: 861521
Changes:
libxstream-java (1.4.9-2) unstable; urgency=medium
.
* Fixed CVE-2017-7957: Attempts to create an instance of the primitive
type 'void' during unmarshalling lead to a remote application crash.
(Closes: #861521)
Checksums-Sha1:
0ce974ed59cff6e25d0c1cb82009f52005d38e2f 2431 libxstream-java_1.4.9-2.dsc
fd91078c6f20a50939ff914992bff99372ed1644 7296 libxstream-java_1.4.9-2.debian.tar.xz
856a710d96a25e89b0c77b7c2a3cbd3381610437 15564 libxstream-java_1.4.9-2_source.buildinfo
Checksums-Sha256:
c5b18692bc34456b0b8811f54c691472d584309ddd5a95bb78e8f07a08164c85 2431 libxstream-java_1.4.9-2.dsc
9424291371ec48fedcd5a1f9d640a9578c3233e9aa6338144e4fe2d30a87c0e5 7296 libxstream-java_1.4.9-2.debian.tar.xz
c7e33ecb5b1bba414f8c1caf2cb2b1c0900d5e46c7743f209fbbaf37f518e26f 15564 libxstream-java_1.4.9-2_source.buildinfo
Files:
b0c3f3ae48096a83f69463d08a2f4542 2431 java optional libxstream-java_1.4.9-2.dsc
3979f2c314928f8374789e417a496fd3 7296 java optional libxstream-java_1.4.9-2.debian.tar.xz
ce70e4223f2cc1fcc99a3e3c7642228b 15564 java optional libxstream-java_1.4.9-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlkIn6oSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsQzsP/iP52EybvHSndZPiBEvVWR/v7ajZDdgW
QPYKEb1JRF9fixOQhJfNXbN9uBT94+5nh+cmJL21yt906FvdvnNOR7feR6YW91if
Rv3pbQ1Mo0BhaHZ4DIe0TQMNyV+C2TMWIIh8h8WMBx7iVUrGuMnWMbEmPWOVhIJF
xBMUXeKKATmy0uRZOADPKWuXPfODLFHISP9LUn4kGOznEKWhbrT3C39tnYpQOPFZ
dPcSiE1IFiS7KKog4aWeODn5dU4Tt5dxaOBxSdIgth/rgWA2m/L70jbAYvvIGBnV
UZmIA4l+tPw2FIVPxuLHsVmFZfm69MQHqZ23TEdq2TewDax4Ah83NbACjQEw9k9x
f9nj7F4uYkfbvLHqQskcgOBXum/iGfcz5WdLVcbQlzv6rqLdx8HZIG4wSmduwYNh
kOWo4KaFgKeqeZKuUw1q8dB6KG7Vv/hqFgMvTamTbeeqwb3OixvWlnPMRCHdy6SJ
pam+tE2LU6Gy/kXn5qMOZ9qQFJDi7FoK26bQTvbhcnaaJIRfMsqVTaXiIJM6ivRA
xrqAHvdrLARwoOISWCx5dfhpvhklPg+9Bu/nTsby9et/1IJqIt0IAGgWNoShazBY
2b1LntvTI1Vvm++uqSoqVf7fiDUrD0ZqF92w+zsPFti0KBLQfaNSKGHVQXne6sKS
p0BWUqptpjHs
=xBUM
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#861521; Package src:libxstream-java.
(Tue, 02 May 2017 15:51:08 GMT) (full text, mbox, link).
Message #26 received at 861521@bugs.debian.org (full text, mbox, reply):
tag 861521 + pending
thanks
Some bugs in the libxstream-java package are closed in revision
081611e4bd0893194362e6e5ba667ebaddb61e85 in branch ' jessie' by
Emmanuel Bourg
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/libxstream-java.git/commit/?id=081611e
Commit message:
Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Tue, 02 May 2017 15:51:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#861521.
(Tue, 02 May 2017 15:51:15 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 19 May 2017 06:27:03 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Sat, 27 May 2017 12:36:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 27 May 2017 12:36:29 GMT) (full text, mbox, link).
Message #38 received at 861521-close@bugs.debian.org (full text, mbox, reply):
Source: libxstream-java
Source-Version: 1.4.7-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 02 May 2017 17:21:00 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Closes: 861521
Changes:
libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high
.
* Fixed CVE-2017-7957: Attempts to create an instance of the primitive
type 'void' during unmarshalling lead to a remote application crash.
(Closes: #861521)
Checksums-Sha1:
d25f4281ba672a2464854d0784e528a0399d8be6 2379 libxstream-java_1.4.7-2+deb8u2.dsc
afb5b08722242b85a216e1b4c4831a04337507e7 8672 libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
89559bdaa63ee5d57e0b7462c0f4789bb75f74d1 585434 libxstream-java_1.4.7-2+deb8u2_all.deb
Checksums-Sha256:
cdf41bea7486afaacf0dbc367514871beacffddd36564ed5cf0b596b28f14c61 2379 libxstream-java_1.4.7-2+deb8u2.dsc
62a1c99b99dc6466149708827e13f945047e7e97c590375061d44b7849b39533 8672 libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
f21a9c0f661849d3d13d77e1ee8ee00189370fa34b1a93713c591cabbdb9c443 585434 libxstream-java_1.4.7-2+deb8u2_all.deb
Files:
9c0b26bc15f1d7bc2632018ee91c3504 2379 java optional libxstream-java_1.4.7-2+deb8u2.dsc
ea1a4f81161faa5543a846be8aca3305 8672 java optional libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
b66a0b5b4d706151bdbb83aa882e30c2 585434 java optional libxstream-java_1.4.7-2+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZCOXGAAoJEPUTxBnkudCss58P/0vthytF/PN94TAsVnW/uGVy
xua2V2dctuBAPPzTfKdGfuNQjjgnlklWlwXlWguXqcqUBq+fvoWcUXm/ZSDfaQPp
wFG7G+A1xoumRTorwZr0A45041A9qfcbbyokZjS3UA1+/NSjm5NA5Uqjz5Gv1Ff6
t8XVtCdvbzJWf84kuhSoXoOxPhZXZVPF1q4rFQ+XsAIVjctMiTp+4Wj+MO7JveNm
nC5IJIy7a1PyB3Z/JeM8pqxPye3zaTOpgRinxfVZ2sP/tlfBQKyA4KkdirmekXw4
PNoLUq6zi3BC/1Uttl/sZ+fEPVdFQ8kRFa1FlWqNgESR0nWXePrkQ/FUleYmriNB
8juIXKs04hPYITWQAhUFDZupunuHvEjd+ATae3ps6loq+tBHb9W9BOHBrca9ge42
uOQ4FVIUpRJXmyo274tbi6XKT7r1NpgAMJiAFqw2+0qJ5recUq3SvT7t9CmfGBdf
M+FFIaGSwOZouI8TjCoYUp2UWiO5hY3ssVqEhLUOFhqBy1/O+gPvCAkUF95K/bMv
ShoBRnFS+gxoqkXDU7Rx5KCPVmS0MjKYrXv3NC+5t4We9ryfSk9zsEBPRaeIuq6f
PPwj9z50EYQTMj0Cp3VxVsiWX75QXee5BsIP+Mx2at3gh4gVUlBH9QVDhUzegg1i
FGnLKSkEmooiMrVcH1Sd
=MSAA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:33:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:44:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon