Your message dated Sat, 27 May 2017 12:33:35 +0000
with message-id <e1deauv-000izr...@fasolo.debian.org>
and subject line Bug#861521: fixed in libxstream-java 1.4.7-2+deb8u2
has caused the Debian Bug report #861521,
regarding libxstream-java: CVE-2017-7957
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.7-2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libxstream-java.
CVE-2017-7957[0]:
| XStream through 1.4.9, when a certain denyTypes workaround is not used,
| mishandles attempts to create an instance of the primitive type 'void'
| during unmarshalling, leading to a remote application crash, as
| demonstrated by an xstream.fromXML("<void/>") call.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
[1] https://x-stream.github.io/CVE-2017-7957.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.7-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 02 May 2017 17:21:00 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Closes: 861521
Changes:
libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high
.
* Fixed CVE-2017-7957: Attempts to create an instance of the primitive
type 'void' during unmarshalling lead to a remote application crash.
(Closes: #861521)
Checksums-Sha1:
d25f4281ba672a2464854d0784e528a0399d8be6 2379
libxstream-java_1.4.7-2+deb8u2.dsc
afb5b08722242b85a216e1b4c4831a04337507e7 8672
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
89559bdaa63ee5d57e0b7462c0f4789bb75f74d1 585434
libxstream-java_1.4.7-2+deb8u2_all.deb
Checksums-Sha256:
cdf41bea7486afaacf0dbc367514871beacffddd36564ed5cf0b596b28f14c61 2379
libxstream-java_1.4.7-2+deb8u2.dsc
62a1c99b99dc6466149708827e13f945047e7e97c590375061d44b7849b39533 8672
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
f21a9c0f661849d3d13d77e1ee8ee00189370fa34b1a93713c591cabbdb9c443 585434
libxstream-java_1.4.7-2+deb8u2_all.deb
Files:
9c0b26bc15f1d7bc2632018ee91c3504 2379 java optional
libxstream-java_1.4.7-2+deb8u2.dsc
ea1a4f81161faa5543a846be8aca3305 8672 java optional
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
b66a0b5b4d706151bdbb83aa882e30c2 585434 java optional
libxstream-java_1.4.7-2+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZCOXGAAoJEPUTxBnkudCss58P/0vthytF/PN94TAsVnW/uGVy
xua2V2dctuBAPPzTfKdGfuNQjjgnlklWlwXlWguXqcqUBq+fvoWcUXm/ZSDfaQPp
wFG7G+A1xoumRTorwZr0A45041A9qfcbbyokZjS3UA1+/NSjm5NA5Uqjz5Gv1Ff6
t8XVtCdvbzJWf84kuhSoXoOxPhZXZVPF1q4rFQ+XsAIVjctMiTp+4Wj+MO7JveNm
nC5IJIy7a1PyB3Z/JeM8pqxPye3zaTOpgRinxfVZ2sP/tlfBQKyA4KkdirmekXw4
PNoLUq6zi3BC/1Uttl/sZ+fEPVdFQ8kRFa1FlWqNgESR0nWXePrkQ/FUleYmriNB
8juIXKs04hPYITWQAhUFDZupunuHvEjd+ATae3ps6loq+tBHb9W9BOHBrca9ge42
uOQ4FVIUpRJXmyo274tbi6XKT7r1NpgAMJiAFqw2+0qJ5recUq3SvT7t9CmfGBdf
M+FFIaGSwOZouI8TjCoYUp2UWiO5hY3ssVqEhLUOFhqBy1/O+gPvCAkUF95K/bMv
ShoBRnFS+gxoqkXDU7Rx5KCPVmS0MjKYrXv3NC+5t4We9ryfSk9zsEBPRaeIuq6f
PPwj9z50EYQTMj0Cp3VxVsiWX75QXee5BsIP+Mx2at3gh1gVUlBH9QVDhUzegg1i
FGnLKSkEmooiMrVcH1Sd
=MSAA
-----END PGP SIGNATURE-----
--- End Message ---
