Your message dated Sun, 31 Aug 2025 17:19:28 +0000
with message-id <[email protected]>
and subject line Bug#1109126: fixed in libcommons-lang-java 2.6-11
has caused the Debian Bug report #1109126,
regarding libcommons-lang3-java: CVE-2025-48924
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109126
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcommons-lang3-java
Version: 3.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: found -1 3.12.0-2
Control: reassign -2 src:libcommons-lang-java 2.6-10
Control: found -2 2.6-9
Hi,
The following vulnerability was published for commons-lang.
CVE-2025-48924[0]:
| Uncontrolled Recursion vulnerability in Apache Commons Lang. This
| issue affects Apache Commons Lang: Starting with commons-
| lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-
| lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can
| throw StackOverflowError on very long inputs. Because an Error is
| usually not handled by applications and libraries, a
| StackOverflowError could cause an application to stop. Users are
| recommended to upgrade to version 3.18.0, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48924
https://www.cve.org/CVERecord?id=CVE-2025-48924
[1] https://www.openwall.com/lists/oss-security/2025/07/11/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcommons-lang-java
Source-Version: 2.6-11
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcommons-lang-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated libcommons-lang-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Aug 2025 18:47:31 +0200
Source: libcommons-lang-java
Architecture: source
Version: 2.6-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 1109126
Changes:
libcommons-lang-java (2.6-11) unstable; urgency=medium
.
* Team upload.
* d/patches/03-CVE-2025-48924.patch: Add patch to fix CVE-2025-48924.
- Fix an uncontrolled recursion vulnerability (closes: 1109126).
Checksums-Sha1:
b3f8af6594b3db318edaed31398083af312b04eb 2236 libcommons-lang-java_2.6-11.dsc
e9bdabfe1f82a186456147de49cfb88eeea3f9d2 9320
libcommons-lang-java_2.6-11.debian.tar.xz
3bfdee54e971d27a242df82a6c49394e49f4e658 11515
libcommons-lang-java_2.6-11_amd64.buildinfo
Checksums-Sha256:
29edb77f822a6648b7e4ad3a5e4c998f74d32cccf76c17e233acf047cb7c2766 2236
libcommons-lang-java_2.6-11.dsc
8337e0a7a7bc085ec7a51c50a09569ed6a3f1198e6d5dbe01cffa8f673d23016 9320
libcommons-lang-java_2.6-11.debian.tar.xz
eaf15a83ada2fe660ee9fdb839b597ab3a8571cb4723eee4ef9498b109ccb483 11515
libcommons-lang-java_2.6-11_amd64.buildinfo
Files:
7a09ae095212fc03cffdaaa7a4b82aba 2236 java optional
libcommons-lang-java_2.6-11.dsc
8167e526f6bdbd412a03a1719898e2f8 9320 java optional
libcommons-lang-java_2.6-11.debian.tar.xz
333c3698aa4ee6a63221baeca9b6e159 11515 java optional
libcommons-lang-java_2.6-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmi0fwkACgkQS80FZ8KW
0F1HJxAAkz6PaOUgj4kX+3WoCB1lx4eJvMU4URwba/oeUilE+nq9G7FHUCOO2LY1
TDMhlXgvZFO0k0h5KbeAkFSx41O/Zg89OmWr04c/yo4nonaNd5/LCk1jT7BmmwZO
36wEy/GyQ35uNJEDwDGb9X1O/GfeZyFbWjxIQgQPjKimbL33wgnYWJFNOFdUZgkW
IHv2R4oD3yjPXv1o904cYrqvhVOcEffwTeGtoibwy8Naz9hK6d1PZ0Kb5DfYMkTf
6hSxuV4cYM7azhEfr+hYToLUg8aG5bZO7py0SR5XUZZrRSNpCl2Xpq0TIGoHseKj
Td6Jj6ncRq6J0T+Z6TonQ7wLbr1BtDesnAcpJR3i7hzI6m4CeKsMcunjB3R4JzC8
inBATBEwvYQu6wOwdt4zPKt5XzYUBdgKsaVuf+pst0CIWp6Lr+5mHZkf/IuS6Zuz
rXINnPFnBq5w81OcWCclqoNjBP+qRjk3Qxsj0l0CR9CfrmxFzvOrLUewpHyhX4Os
KnmYipDvtndMxKhlLS8UMmTorwDFvE1hBM/7aUbfFpyoaRRttpa4ptFBXmu4Kg7e
zJYszaDc5L3e127Duf4nSkyqffKfrFbRRm9WQwhMcviGEnBgCYipF8P1X86CWopt
XzxhcdD0i9jX3wxqIeW6iI62a9BzdYAaaOxLrT51WEEI56n1O7g=
=J6mr
-----END PGP SIGNATURE-----
pgp75hGPhN1PT.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
