Debian Bug report logs -
#998054
libxstream-java: vulnerable to CVE-2021-391{{39..41},{44..54}}
Reported by: Alex Thiessen <alex.thiessen.de+debian@gmail.com>
Date: Fri, 29 Oct 2021 08:00:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version libxstream-java/1.4.15-3
Fixed in version libxstream-java/1.4.18-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, alex.thiessen.de+debian@gmail.com, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#998054
; Package libxstream-java
.
(Fri, 29 Oct 2021 08:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Thiessen <alex.thiessen.de+debian@gmail.com>
:
New Bug report received and forwarded. Copy sent to alex.thiessen.de+debian@gmail.com, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 29 Oct 2021 08:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxstream-java
Version: 1.4.15-3
Severity: important
X-Debbugs-Cc: alex.thiessen.de+debian@gmail.com
Dear Maintainer,
* What led up to the situation?
Package installed, the machine scanned by the IT department and
found vulnerable to a set of CVEs. According to
https://x-stream.github.io/security.html, it's:
- CVE-2021-39139 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39140 XStream can cause a Denial of Service.
- CVE-2021-39141 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39144 XStream is vulnerable to a Remote Command Execution attack.
- CVE-2021-39145 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39146 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39147 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39148 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39149 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39150 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
- CVE-2021-39151 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39152 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
- CVE-2021-39153 XStream is vulnerable to an Arbitrary Code Execution attack.
- CVE-2021-39154 XStream is vulnerable to an Arbitrary Code Execution attack.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Checked Debian website for security fixes of the package. Checked
the changelog to see if the CVEs were fixed by a patch.
* What was the outcome of this action?
No newer version with CVEs fixed available for Debian stable to
insntall out of the box.
* What outcome did you expect instead?
A package with the CVEs fixed.
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libxstream-java depends on:
ii libxpp3-java 1.1.4c-3
libxstream-java recommends no packages.
Versions of packages libxstream-java suggests:
pn libcglib-nodep-java <none>
pn libdom4j-java <none>
pn libjdom1-java <none>
pn libjdom2-java <none>
pn libjettison-java <none>
pn libjoda-time-java <none>
pn libkxml2-java <none>
pn libwoodstox-java <none>
pn libxom-java <none>
-- no debconf information
Marked as fixed in versions libxstream-java/1.4.18-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 29 Oct 2021 20:03:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 29 Oct 2021 20:03:05 GMT) (full text, mbox, link).
Notification sent
to Alex Thiessen <alex.thiessen.de+debian@gmail.com>
:
Bug acknowledged by developer.
(Fri, 29 Oct 2021 20:03:06 GMT) (full text, mbox, link).
Message sent on
to Alex Thiessen <alex.thiessen.de+debian@gmail.com>
:
Bug#998054.
(Fri, 29 Oct 2021 20:03:07 GMT) (full text, mbox, link).
Message #14 received at 998054-submitter@bugs.debian.org (full text, mbox, reply):
close 998054 1.4.18-1
thanks
Track the fixed version containing the fix already in unstable.
Added tag(s) fixed-upstream, security, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 29 Oct 2021 20:06:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 30 14:36:49 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.