Your message dated Sat, 08 Feb 2020 16:32:13 +0000 with message-id <e1j0t1h-000ivk...@fasolo.debian.org> and subject line Bug#949089: fixed in libxmlrpc3-java 3.1.3-9+deb10u1 has caused the Debian Bug report #949089, regarding libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949089 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxmlrpc3-java Version: 3.1.3-9 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for libxmlrpc3-java. CVE-2019-17570[0]: | Deserialization of server-side exception from faultCause in XMLRPC | error response That said, should libxmlrpc3-java rather be removed from unstable, and not included in bullseye? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17570 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1775193 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxmlrpc3-java Source-Version: 3.1.3-9+deb10u1 We believe that the bug you reported is fixed in the latest version of libxmlrpc3-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libxmlrpc3-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 06 Feb 2020 17:57:54 +0100 Source: libxmlrpc3-java Binary: libxmlrpc3-client-java libxmlrpc3-common-java libxmlrpc3-java-doc libxmlrpc3-server-java Architecture: source all Version: 3.1.3-9+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libxmlrpc3-client-java - XML-RPC implementation in Java (client side) libxmlrpc3-common-java - XML-RPC implementation in Java libxmlrpc3-java-doc - XML-RPC implementation in Java (API documentation) libxmlrpc3-server-java - XML-RPC implementation in Java (server side) Closes: 949089 Changes: libxmlrpc3-java (3.1.3-9+deb10u1) buster-security; urgency=high . * Team upload. * Fix CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. . Clients that expect to get server-side exceptions need to set the enabledForExceptions property to true in order to process serialized exception messages. (Closes: #949089) Checksums-Sha1: 45e939f5fd427bb28c00f907c3dd9c89cbacb710 2731 libxmlrpc3-java_3.1.3-9+deb10u1.dsc e2500160db7bd0f3c35aff2b99f5d0f5b2dc503f 170246 libxmlrpc3-java_3.1.3.orig.tar.gz 708662e11f6ecef5746aa612750895b3d5c75f44 8608 libxmlrpc3-java_3.1.3-9+deb10u1.debian.tar.xz ea5e8b5983d481bbaa0b6fe213bcaa379ba347c6 52268 libxmlrpc3-client-java_3.1.3-9+deb10u1_all.deb 7831503304d472a69cafccf41960bb6aaff39bb7 95728 libxmlrpc3-common-java_3.1.3-9+deb10u1_all.deb 8fd68adea9a773b6c8a842b88fa22f764687c7d3 410140 libxmlrpc3-java-doc_3.1.3-9+deb10u1_all.deb 006fba4d41a6dea275dc072dd608c2b17d752b7d 16732 libxmlrpc3-java_3.1.3-9+deb10u1_amd64.buildinfo fa27c58c8124b217c870b13d604da67005881731 75136 libxmlrpc3-server-java_3.1.3-9+deb10u1_all.deb Checksums-Sha256: 3ff1061fd310568c04508f8ef5bb4cc53a233e2391e1a67ff3a67eac548632a3 2731 libxmlrpc3-java_3.1.3-9+deb10u1.dsc 659671d30eed83ed28a79d448b0960e93c6cc42d371058a375ea6ecdd66e1ad6 170246 libxmlrpc3-java_3.1.3.orig.tar.gz a07110ff959f2f7d649c999ce33ea8355635512d7b40740f63b2cfd0bd5d9ce7 8608 libxmlrpc3-java_3.1.3-9+deb10u1.debian.tar.xz a83805e19859a194971f80c4bd458643a5edbad90752515c35e2ebc4d6312c48 52268 libxmlrpc3-client-java_3.1.3-9+deb10u1_all.deb 6e50f83cb3d7e94ccd60c875d22286a3b366a93627962eeadf4d827f35d369e5 95728 libxmlrpc3-common-java_3.1.3-9+deb10u1_all.deb bd84388c37503b99412386c68073f1373884e969e1ca0fe31d69ba24332c99f1 410140 libxmlrpc3-java-doc_3.1.3-9+deb10u1_all.deb e34b15ea0c7dcf5acbf70b15e84a4cee795c8d14d8c564aa8593a59e39ebb18d 16732 libxmlrpc3-java_3.1.3-9+deb10u1_amd64.buildinfo 688ea4d5bd0d2ca250e627721771ee9cbdf1fc02c3d4541947e5a75cc654e495 75136 libxmlrpc3-server-java_3.1.3-9+deb10u1_all.deb Files: 05c1e0203dc48c293962733c6903a8a3 2731 java optional libxmlrpc3-java_3.1.3-9+deb10u1.dsc dc69f66876a8c75824b23766d7bf0d91 170246 java optional libxmlrpc3-java_3.1.3.orig.tar.gz 948db061e3e5ec1bc08eca3b04165ded 8608 java optional libxmlrpc3-java_3.1.3-9+deb10u1.debian.tar.xz 8cd73afb34685e58dd2629dcb4583145 52268 java optional libxmlrpc3-client-java_3.1.3-9+deb10u1_all.deb 01c23838d39709ce499a722d0a0ceecc 95728 java optional libxmlrpc3-common-java_3.1.3-9+deb10u1_all.deb 2c0ab48122c67fa47171d63ca2fca7a9 410140 doc optional libxmlrpc3-java-doc_3.1.3-9+deb10u1_all.deb 7e31b9f21a6f02b57d37b1bba5b80cda 16732 java optional libxmlrpc3-java_3.1.3-9+deb10u1_amd64.buildinfo 88444cf9e75f9089c279258c14aa38e9 75136 java optional libxmlrpc3-server-java_3.1.3-9+deb10u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl48Sk5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkWaYQAMXiBR7mg/qHPaWIMP2ERL46raJ1KJrAkEeR C6tJbZtnF/JKBn6nYWZRmm3BwksG2nTVVrUndfrKSDd4wZMGMgm9KypQD7K9ZDrh cIdhoVWtjLdrAeK83p2jkh6Syb61fbMXIBXhxMuY9xD3Ywghplt2tkxioLxPqrNP 8utyFRJpxyswC1kG/fKnQig+xwI9LBShN7kl3Dv+isKfAcZXQaVK4Qmsac5pEnGH DGDRoiiq1fIP5w2i782jPN8upzRSLEhZx9GBK1mHe7iM+LpoieArgNJuhATwn49L ts4s71mAS9nAmZ3T81XTgA0Q1EWWi4JWWmbjSH1TrQkI4Sk4fARE/GjUOZgSsAdc rH1HYM7laEqKLJgaHyfgIwrGWXtPtqi7yI/+MM3h0oRSxneOEiXIbmw+ncWPnzsE TamQf3Ky2Vjnnoc4C6MqxrN/6zKa6zuxGxlLob+nfM8c49KgZMi05aH2MA+8fxTQ TQtZyJDniSrlr2rkFrVTmB5L/KPsUmuRz9okQsK5W5NpstJmWOFskSwEU4oBcFJZ iTSBY4T52C+Gjaz902d32OoSSzsx4WIbKd1AT589YLXEUnMP5AA58zx7R7bonSw+ YWm9LTGR9UHOSMfie6bYTLbqIdQU8+UiMy8WCOHCJchqlLufInFKNG02d+4v/bAk 6algMpVa =TIJC -----END PGP SIGNATURE-----
--- End Message ---
