Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
Hello Tony, You are right, XStream 1.4.2 is only packaged for stable, testing and unstable ship 1.4.7. Backporting the security fix or upgrading the stable version is still something to consider though. Thanks, G. From: tony mancill tmanc...@debian.org Sent: Monday, November 24, 2014 5:36 AM To: Georgi Geshev; 770...@bugs.debian.org Subject: Re: Bug#770780: Apache ActiveMQ Packaged with Old XStream Library On 11/23/2014 04:54 PM, Georgi Geshev wrote: Package: activemq Version: 5.6.0+dfsg-1 Apache ActiveMQ as packaged for Debian seems to ship with an old XStream (1.4.2) library[1][2] which allows for instantiating arbitrary classes. This could be leveraged for system command execution as demonstrated against versions before 1.4.7. Hello Georgi, Thank you for the bug report. Could you confirm that this bug report is for Debian stable (wheezy)? Debian testing has had xstream 1.4.7 since March of 2014. Therefore, I believe this is a security bug against the version of libxstream-java found in wheezy. Note that activemq ships a symlink to /usr/share/java/xstream.jar and not the JAR itself, which is installed by the libxstream-java package. If you need an immediate fix, you should be able to install a newer xstream [0] .deb (or symlink to another newer copy of xstream on your system). Thank you, tony [0] https://packages.qa.debian.org/libx/libxstream-java.html __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#771537: freeplane: should relax to depend on default-jre | java-runtime
hello Jonas, hello Tony, Thanks for reporting. I am the maintainer of freeplane, simplyhtml, libidw-java and jmapviewer. I would like to fix this in jessie+1 because it's not a critical bug and (as you stated) it would require unblocking freeplane, simplyhtml and jmapviewer [1]. Furthermore, the freeplane wiki page which refers to Java1.6 may not be up-to-date, as most devs use Java7 or Java8 and might accidentally have committed code for Java = 7. [1] libidw-java is not affected since it uses: Depends: ${java:Depends}, ${misc:Depends} and because it includes no executable jars, there is no dependency to a JRE (from /usr/share/doc/javahelper/tutorial.txt.gz). Cheers and Best Regards, -- Felix Natter __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#771861: RFP: procyon -- suite of Java metaprogramming tools focused on code generation and analysis
Package: wnpp Severity: wishlist * Package name: procyon Version : 0.5.27 Upstream Author : Mike Strobel mike.stro...@gmail.com * URL : https://bitbucket.org/mstrobel/procyon * License : Apache License 2.0 Programming Lang: Java Description : suite of Java metaprogramming tools focused on code generation and analysis Procyon is a suite of Java metaprogramming tools focused on code generation and analysis. It includes the following libraries: * Core Framework * Reflection Framework * Expressions Framework * Compiler Toolset (Experimental) * Java Decompiler --- Debian doesn't have a Java Decompiler and this one, besides being Free Software, is actively maintained. -- Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFC http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.