Your message dated Sun, 31 Aug 2025 19:19:12 +0000
with message-id <[email protected]>
and subject line Bug#1109125: fixed in libcommons-lang3-java 3.17.0-2
has caused the Debian Bug report #1109125,
regarding libcommons-lang3-java: CVE-2025-48924
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109125
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcommons-lang3-java
Version: 3.17.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: found -1 3.12.0-2
Control: reassign -2 src:libcommons-lang-java 2.6-10
Control: found -2 2.6-9
Hi,
The following vulnerability was published for commons-lang.
CVE-2025-48924[0]:
| Uncontrolled Recursion vulnerability in Apache Commons Lang. This
| issue affects Apache Commons Lang: Starting with commons-
| lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-
| lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can
| throw StackOverflowError on very long inputs. Because an Error is
| usually not handled by applications and libraries, a
| StackOverflowError could cause an application to stop. Users are
| recommended to upgrade to version 3.18.0, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48924
https://www.cve.org/CVERecord?id=CVE-2025-48924
[1] https://www.openwall.com/lists/oss-security/2025/07/11/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcommons-lang3-java
Source-Version: 3.17.0-2
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcommons-lang3-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated libcommons-lang3-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Aug 2025 20:22:43 +0200
Source: libcommons-lang3-java
Architecture: source
Version: 3.17.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 1109125
Changes:
libcommons-lang3-java (3.17.0-2) unstable; urgency=medium
.
* Team upload.
* d/patches/CVE-2025-48924.patch: Add patch to fix CVE-2025-48924.
- Fix an uncontrolled recursion vulnerability (closes: 1109125).
Checksums-Sha1:
f07b7ffb0250a96e7e4ccfa78eddd4c5b91651d1 2272
libcommons-lang3-java_3.17.0-2.dsc
2bf8bfe7055857d3261314c17772398d4d916d0f 7388
libcommons-lang3-java_3.17.0-2.debian.tar.xz
0e9de0aab8210ec9c863751c226da537b2c73100 15168
libcommons-lang3-java_3.17.0-2_amd64.buildinfo
Checksums-Sha256:
dedaa07aa6389fadde55d92a593390f678dcd441bc932879abe90f1e94a2569f 2272
libcommons-lang3-java_3.17.0-2.dsc
e15281f3fc86299e26c724aa84d9729056ce34c9f0795290c61b91094082add8 7388
libcommons-lang3-java_3.17.0-2.debian.tar.xz
9008644fbe1c0c1f3c1026b536cc3b16f66aa9a21940567df805151b36f82c07 15168
libcommons-lang3-java_3.17.0-2_amd64.buildinfo
Files:
681adebd21f28879bef60bc0287360e4 2272 java optional
libcommons-lang3-java_3.17.0-2.dsc
d57f94af826cf48d7235cc23e1200a05 7388 java optional
libcommons-lang3-java_3.17.0-2.debian.tar.xz
bdff20a0ff77c1199f2c4066344e3261 15168 java optional
libcommons-lang3-java_3.17.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmi0nYQACgkQS80FZ8KW
0F2TKBAAhfVj2lAW6cLKWU3cfDF4Bk5XxzRUlUgarvY2syALcBdU8pMrGQOjnxw0
wwJ+fQAjQtqcP45+0OAaffpFgwGGoRvMSPV1GqmZcX32VhRVa/PqBh+iwStbS+h3
8mIwJYsoo4xkTb65upZNO9u5WXc8Aa88NwuEZM9AKDLYPwoWp7BQZyom3KgxI6GE
XIUi0VRpBlB3XxJ2VSA2E/ZgL5atalHUfdJmnjmLh/AUTkKTkHF861NqJVEwRMRI
rjX257KE1RhjM/jFvMela5PXo0TYM7/rUYCl6Kdzwhlhux+HstF7owB72c6aOp0a
RDS/MYNm15pTPLxXLZ5+XJHIVo0JshhTRIHuyUUNsPZNbCJBSuLfiO1ty/zS5cZB
SrzQBghBl58e4tJ40krA/eSHd4nj7IigD0a13PCGR9PVu25xRrM8DSzw5U4gUROn
rfLcX1NX3h4yk/lg8Mw3tAcUjVUK/L4uU0mIFUH+xvxnMxhSG+zkGCn7XwKrqWFi
0kyuc+QV4pgYqZGxXBDBA/I31zS8IizJRlV3REH22YkoYwSYsGjNPihg/w2cuZmJ
qpy1Wm/9nPj42P8zTF9oDi4rRUXVrH3tTs308ZE9CPQGhgWdPFEMe9HpGoMuPZ7u
MQ0QP88kxf+tr/AMG8EhBH9piJsgjk44K5XIN0JuQqt5Boobeoo=
=49Vy
-----END PGP SIGNATURE-----
pgpR_zSBFHh0Z.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
