Public bug reported:
Scheduled-For: ubuntu-25.07
Ubuntu: 2.2-2ubuntu1
Debian Unstable: 2.5.2-1
A new release of json-smart is available for syncing from Debian
Unstable.
The Ubuntu delta is already present in Debian unstable's source.
### New Debian Changes ###
json-smart (2.5.2-1) unstable; urgency=medium
* New upstream version 2.5.2:
- Fixes CVE-2024-57699: A security issue was found in Netplex Json-smart
2.5.0 through 2.5.1. When loading a specially crafted JSON input,
containing a large number of ’{’, a stack exhaustion can be trigger,
which could allow an attacker to cause a Denial of Service (DoS). This
issue exists because of an incomplete fix for CVE-2023-1370.
(Closes: #1095839)
* Refreshing patches
-- Pierre Gruet <[email protected]> Sun, 16 Feb 2025 15:47:20 +0100
json-smart (2.5.1-1) unstable; urgency=medium
* Team upload
* New upstream version 2.5.1 (Closes: #1068940)
* Refreshing patches
* Refreshing d/copyright
* Fixing Vcs-* fields in d/control
* Simplifying d/rules after the parent pom was removed from the source package
* Providing a parent pom in the debian/ directory, to be used during the build
* Packaging with jar instead of bundle
* Comparing milliseconds since epoch instead of precise instants in test
* Removing unneeded versioned B-D on maven-debian-helper
-- Pierre Gruet <[email protected]> Wed, 04 Dec 2024 22:16:05 +0100
json-smart (2.2-3) unstable; urgency=medium
* Team upload
* Add watch file
* Fix CVE-2023-1370: When reaching a ‘[‘ or ‘{‘ character
in the JSON input, the code parses an array or
an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays
or objects. Since the parsing of nested arrays and objects is
done recursively, nesting too many of them can cause
a stack exhaustion (stack overflow) and crash the software.
(Closes: #1033474)
* Use compat level 13
* Bump policy to 4.7.7
* Add salsa-CI
-- Bastien Roucariès <[email protected]> Sat, 13 Apr 2024 14:43:01
+0000
### Old Ubuntu Delta ###
json-smart (2.2-2ubuntu1) lunar; urgency=medium
* SECURITY UPDATE: DoS caused by unclosed quotes
- debian/patches/0004-CVE-2021-31684-Fix-indexOf.patch:
set right control variable for the indexOf function
in json-smart/src/main/java/net/minidev/json/
parser/JSONParserByteArray.java.
- CVE-2021-31684
* SECURITY UPDATE: DoS caused by uncontrolled nesting
- debian/patches/0005-CVE-2023-1370-stack-overflow-due-to-
excessive-recurs.patch: add limit for nested depth when processing
"{" or "[" in
json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java,
json-smart/src/main/java/net/minidev/json/parser/ParseException.java,
and json-smart/src/test/java/net/minidev/json/test/TestOverflow.java.
- CVE-2023-1370
-- David Fernandez Gonzalez <[email protected]>
Tue, 11 Apr 2023 13:33:16 +0200
A successful build test for questing can be found here:
https://launchpad.net/~ebarretto/+archive/ubuntu/devel-testing/+packages?field.name_filter=json-smart&field.status_filter=published&field.series_filter=
** Affects: json-smart (Ubuntu)
Importance: Undecided
Assignee: Eduardo Barretto (ebarretto)
Status: Fix Released
** Changed in: json-smart (Ubuntu)
Status: New => In Progress
** Changed in: json-smart (Ubuntu)
Assignee: (unassigned) => Eduardo Barretto (ebarretto)
** Changed in: json-smart (Ubuntu)
Milestone: None => ubuntu-25.07
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115972
Title:
Please sync json-smart from Debian Unstable for questing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/json-smart/+bug/2115972/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
