Your message dated Sat, 08 Feb 2020 16:35:04 +0000 with message-id <e1j0t4s-000iwc...@fasolo.debian.org> and subject line Bug#949089: fixed in libxmlrpc3-java 3.1.3-8+deb9u1 has caused the Debian Bug report #949089, regarding libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949089 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxmlrpc3-java Version: 3.1.3-9 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for libxmlrpc3-java. CVE-2019-17570[0]: | Deserialization of server-side exception from faultCause in XMLRPC | error response That said, should libxmlrpc3-java rather be removed from unstable, and not included in bullseye? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17570 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1775193 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxmlrpc3-java Source-Version: 3.1.3-8+deb9u1 We believe that the bug you reported is fixed in the latest version of libxmlrpc3-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libxmlrpc3-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 06 Feb 2020 18:19:21 +0100 Source: libxmlrpc3-java Binary: libxmlrpc3-common-java libxmlrpc3-client-java libxmlrpc3-server-java libxmlrpc3-java-doc Architecture: source all Version: 3.1.3-8+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libxmlrpc3-client-java - XML-RPC implementation in Java (client side) libxmlrpc3-common-java - XML-RPC implementation in Java libxmlrpc3-java-doc - XML-RPC implementation in Java (API documentation) libxmlrpc3-server-java - XML-RPC implementation in Java (server side) Closes: 949089 Changes: libxmlrpc3-java (3.1.3-8+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17570: An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. . Clients that expect to get server-side exceptions need to set the enabledForExceptions property to true in order to process serialized exception messages. (Closes: #949089) Checksums-Sha1: af2747867aad06e9caf5c65b9bd3b1d9e207b687 2742 libxmlrpc3-java_3.1.3-8+deb9u1.dsc e2500160db7bd0f3c35aff2b99f5d0f5b2dc503f 170246 libxmlrpc3-java_3.1.3.orig.tar.gz 527c7897ba46906a52636d4783bf02eb6b20c173 8264 libxmlrpc3-java_3.1.3-8+deb9u1.debian.tar.xz 78564d8840d0b9e43fdf0b839249262067916e45 50884 libxmlrpc3-client-java_3.1.3-8+deb9u1_all.deb d0b107392e7308ea1820281d3050409c21cf41fd 94106 libxmlrpc3-common-java_3.1.3-8+deb9u1_all.deb c462070dce650fb0a32f880a110c5f830f0638e9 173098 libxmlrpc3-java-doc_3.1.3-8+deb9u1_all.deb aebc6feaece52330496e2983752cbbe5a9a333c9 16661 libxmlrpc3-java_3.1.3-8+deb9u1_amd64.buildinfo 7070a244a7e2bf0ec5f1dbbce9a4db46579fa359 73948 libxmlrpc3-server-java_3.1.3-8+deb9u1_all.deb Checksums-Sha256: 50d8d9f7c7a45700f150727fa2ce90ce207af5bd4ca482f555ccf1f16c2ce590 2742 libxmlrpc3-java_3.1.3-8+deb9u1.dsc 659671d30eed83ed28a79d448b0960e93c6cc42d371058a375ea6ecdd66e1ad6 170246 libxmlrpc3-java_3.1.3.orig.tar.gz 4b23c442cb69553719ff1f8472aef443df46955059e1084bab7e62001cda6fdf 8264 libxmlrpc3-java_3.1.3-8+deb9u1.debian.tar.xz d00962b7c7a4cd84b11361d421ff7d6a4b5826890feb6e2e96caace073622b5f 50884 libxmlrpc3-client-java_3.1.3-8+deb9u1_all.deb 359c170d0fedceface19bcce554b7e8bef53dd1fdcae43eaf3e16418fab05569 94106 libxmlrpc3-common-java_3.1.3-8+deb9u1_all.deb b11c8c4bcbd0f99c8391f8a3d54a9faa7a22208147f2e881a1738f4e305ad8fa 173098 libxmlrpc3-java-doc_3.1.3-8+deb9u1_all.deb 97cce35597d2da81286ff3c54131860e78f7c32c47f4200f5f334781b9bb9c85 16661 libxmlrpc3-java_3.1.3-8+deb9u1_amd64.buildinfo 59631d1f75ceeeeb3588b2f607a17b5863eec04c70b3c9daefb107c4caa4622c 73948 libxmlrpc3-server-java_3.1.3-8+deb9u1_all.deb Files: 68c7a644de4c149fcf560486f6f7970a 2742 java optional libxmlrpc3-java_3.1.3-8+deb9u1.dsc dc69f66876a8c75824b23766d7bf0d91 170246 java optional libxmlrpc3-java_3.1.3.orig.tar.gz febc2986120e42ea84b5ae1ad819b45b 8264 java optional libxmlrpc3-java_3.1.3-8+deb9u1.debian.tar.xz cc6e28a24f64a68e4095e3b13b1aa32d 50884 java optional libxmlrpc3-client-java_3.1.3-8+deb9u1_all.deb 2fd18b985625749fc5f177e9c99c3fdf 94106 java optional libxmlrpc3-common-java_3.1.3-8+deb9u1_all.deb 8b5c7a26d1e05af3a5912aa91c4cf065 173098 doc optional libxmlrpc3-java-doc_3.1.3-8+deb9u1_all.deb 867bcd6bb5772cc9455f6dd5c4e61a2a 16661 java optional libxmlrpc3-java_3.1.3-8+deb9u1_amd64.buildinfo e8e3a7adfc971f84c95aa433fae1ed52 73948 java optional libxmlrpc3-server-java_3.1.3-8+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl48VRhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkZkEP/3n4USHO9ha3v2H/slp6hCIIkLTd+aEGT+9L 35cbsUrK/Mf6YGubNoqDJO4/CtXR+otG/K/M2oZAoACsrN+9NendqarjiziB+/Uj s4P8MSEo5dTvoeyOosOFqhWVoR4LOwjdVQfPaNTwNY9rZqjNWhTd2swJNPRdrmWa 3kXl4OpZcRUC//I77CPeXbGJKg42eRa085CzldUT+UgWNCEy2fP2gB2P1nYhFC0R kYDmbYILhcxeZEWfHezbCqc20SLZIG7PYzIbxTWdzuO99KLqMoKAbSsXBIB2UuFM emMTvy59WeaaJa8WTQlXyWzvad/jQFEWfO6Ofl5H0CswiFI8qONVGn71XK5Z3mbK fWpng52gfYOz1pDQUaPFE9e/si6iwFyqGbGQJj/UV56vuV2t0yPtIxvThAXaSBAk /AceoOo79aKA2IAPZkZE+IthADzwFfvvzHr7wOZoVJAHZL2HG/Jz4jzsCHsBV3lt ROwVKN7tCuvc/LZ1YUlQEYICu1lfkBRKoqdQbwEbVmjglOoKSQsZ0vGnhpHC+CNu WkUCD0yX/kNLh+ktW/rcaFQnnV52mGD16abjo8Rw6a8vnAsvrHZ/eon3rXzscWXw ZEZBj3nGRKZLNS+EOAXO6EaJwOC98M024lyrRhTnJE94wQHJyCN0Ek6DS9mPHyNe It4nUKpT =/KXM -----END PGP SIGNATURE-----
--- End Message ---
