Debian Bug report logs -
#770544
resteasy: CVE-2014-7839: External entities expanded by DocumentProvider
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Nov 2014 09:57:01 UTC
Severity: grave
Tags: security, upstream
Found in version resteasy/3.0.6-1
Fixed in version resteasy/3.0.6-2
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#770544; Package src:resteasy.
(Sat, 22 Nov 2014 09:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 22 Nov 2014 09:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: resteasy
Version: 3.0.6-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for resteasy. I have choosen
severity grave due to what is described in Red Hat's bugzilla about
the issue, but I don't know jboss/resteasy/... well enough, so feel
free to downgrade to important if you don't agree.
CVE-2014-7839[0]:
External entities expanded by DocumentProvider
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-7839
[1] https://issues.jboss.org/browse/RESTEASY-1130
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1165328
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Mon, 24 Nov 2014 22:57:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Nov 2014 22:57:20 GMT) (full text, mbox, link).
Message #10 received at 770544-close@bugs.debian.org (full text, mbox, reply):
Source: resteasy
Source-Version: 3.0.6-2
We believe that the bug you reported is fixed in the latest version of
resteasy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770544@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated resteasy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 24 Nov 2014 23:36:45 +0100
Source: resteasy
Binary: libresteasy-java
Architecture: source all
Version: 3.0.6-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libresteasy-java - RESTEasy -- Framework for RESTful Web services and Java applicati
Closes: 770544
Changes:
resteasy (3.0.6-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2014-7839: External entities expanded by DocumentProvider
(Closes: #770544)
* Standards-Version updated to 3.9.6 (no changes)
Checksums-Sha1:
d3b5afc588d3c4e8e30f512f6c73148dd7133db0 2286 resteasy_3.0.6-2.dsc
0a7fb3a75731cd23e385000c8eaa5148f837c461 11920 resteasy_3.0.6-2.debian.tar.xz
4c47857deae94423529f715d81b9b3faa6a9ce3f 1191620 libresteasy-java_3.0.6-2_all.deb
Checksums-Sha256:
03eae3432d98e0ee9dc71977fe119d762fbce84a36ecee83f8e7469ca3fc10fa 2286 resteasy_3.0.6-2.dsc
f8e784998d491d8fc4e1f8a9014a9662d34be95ea0aa029f001c93cc07de8d3b 11920 resteasy_3.0.6-2.debian.tar.xz
4be92b2484634439ab4eade1c319ff6a01667b572e9569840c9a757b64176e3d 1191620 libresteasy-java_3.0.6-2_all.deb
Files:
949336df326f08b5bde5faa8919cf8df 2286 java optional resteasy_3.0.6-2.dsc
c6de2ea537163890e827053b76c10747 11920 java optional resteasy_3.0.6-2.debian.tar.xz
eae9b861c9b848c8b4682d2cfce2db4c 1191620 java optional libresteasy-java_3.0.6-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUc7RfAAoJEPUTxBnkudCspPQP/ilgqjb3bDqWEfErMLjYduAO
w+navVAlRPUR42s4lGu1nvzgsD9wXKoUMDIZ8D2XLctl+N9RQyygb9eHk694mlNz
Qrbm0zYVG54vOzp1gLhDJUMd9rmhJDaPr+2GLzw5QwN3Qj3brI7UU8L0eJbmU8I4
msdLYGERLVzD831zZ2151fvX1Dakvf2/noL1UN/+JMM07QAF7c41SFK78Q39hEQU
Y3QBW+4sz0O2qAgD8RlK54YRcQyuSAMcLKSTx3BaTUKFEwmpO/jGU0vFpzsw7XFj
vp6ux5UsaNbZ8In1XDcjCoBTBCi64hHPurBiK2mgliT98lsNdMJnUBlTeYmBH0jL
eIbLE9/3qF725kVWi2qqMkMHACvEBknT2zi6wCipbgdVpDSCXwbXpR5whqr4d0zE
bzXRfA5aTsUpsgiEtjYUUU39BfThFDJJcLAMLeRVzEgE0sjJFoZTxga52cf2Hrri
/VTZWYNM+mFHJnX1a1HCv/DPfL+u8QFGmVhc7IcdEBb+IpCMtDScPW+d5cckmz5r
nraktLT3w4iIWhNXCgjYI3dOkB1yKKBNgvJ+uoT0Eh+Ijagb+XyXVmAfacvdHcmn
c3H1iCdHaQQi1yKtZIHLIT5jDVeogc3gfr0NkrNv6tyw5Peil6vL1pcPwjrMKvga
vmTnbxWaH+3IAJAauEqE
=Vh0Q
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 25 Dec 2014 07:30:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:04:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon