reproducible.debian.net status changes for commons-exec

[Reproducible builds folks]

2017-03-04 22:21 
https://tests.reproducible-builds.org/debian/unstable/amd64/commons-exec 
changed from reproducible -> FTBFS

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for freehep-graphicsio-pdf

[Reproducible builds folks]

2017-02-22 10:46 
https://tests.reproducible-builds.org/debian/unstable/amd64/freehep-graphicsio-pdf
 changed from reproducible -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for jmock2

[Reproducible builds folks]

2017-02-22 23:08 
https://tests.reproducible-builds.org/debian/unstable/amd64/jmock2 changed from 
unreproducible -> FTBFS

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for not-yet-commons-ssl

[Reproducible builds folks]

2017-03-07 21:01 
https://tests.reproducible-builds.org/debian/unstable/amd64/not-yet-commons-ssl 
changed from reproducible -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for libcommons-dbcp-java

[Reproducible builds folks]

2017-03-04 09:50 
https://tests.reproducible-builds.org/debian/unstable/amd64/libcommons-dbcp-java
 changed from reproducible -> FTBFS
2017-03-07 20:46 
https://tests.reproducible-builds.org/debian/unstable/amd64/libcommons-dbcp-java
 changed from FTBFS -> reproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for multiverse-core

[Reproducible builds folks]

2017-02-22 00:15 
https://tests.reproducible-builds.org/debian/unstable/amd64/multiverse-core 
changed from FTBFS -> reproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

reproducible.debian.net status changes for eclipse-pydev

[Reproducible builds folks]

2017-02-21 16:28 
https://tests.reproducible-builds.org/debian/unstable/amd64/eclipse-pydev 
changed from reproducible -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857034: marked as done (Please update openjdk-8-jre-dcevm in jessie-backports)

[Debian Bug Tracking System]

Your message dated Fri, 10 Mar 2017 22:56:20 +0100
with message-id <9452b6d4-e8c9-43cb-7247-938ef2b97...@apache.org>
and subject line Re: Bug#857034: Please update openjdk-8-jre-dcevm in 
jessie-backports
has caused the Debian Bug report #857034,
regarding Please update openjdk-8-jre-dcevm in jessie-backports
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857034
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openjdk-8-jre-dcevm

Hello

Could you please update the jessie-backport version of openjdk-8-jre-dcevm 
(currently 8u92-1~bpo8+1) as it's not compatible with the JRE 
(8u121-b13-1~bpo8+1):

  $ java -version -XXaltjvm=dcevm
  Invalid layout of java.lang.Thread at name
  Error occurred during initialization of VM
  Invalid layout of preloaded class: use -XX:+TraceClassLoading to see the 
origin of the problem class

Best Regards

-christian-
--- End Message ---
--- Begin Message ---
Control: fixed -1 8u112-1~bpo8+1--- End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#856996: libjacoco-java: Where is the jacoco agent located?

[Martin Quinson]

On Thu, Mar 09, 2017 at 04:59:35PM -0800, tony mancill wrote:
> On Wed, Mar 08, 2017 at 05:04:19PM +0100, Martin Quinson wrote:
> > Hello,
> > 
> > so the package is completely unusable, right ? It is merely a
> > placeholder to make the Gradle android plugin compile, isn't it?
> > 
> > If so, I am wondering whether this should be a bug of gravity "grave":
> > "makes the package in question unusable or mostly so, [...]"
> > 
> > What would be needed to actually build the agent?
> 
> Although the Debian package doesn't provide everything found in the
> upstream jacoco distribution, that doesn't mean that it is unusable.

I'm not sure I agree. That would be just like a debugger that cannot
debug a program but only parse a previously captured core. I'd say
it's not "unusable", but rather "mostly unusable" :)

But I would not spend too much energy on discussing the gravity of
that bug, it's not extremly important.

I would be more interested if someone could tell us some words about
the steps that should be done so that the jacoco agent becomes usable
from the package.  I have no knowledge of this soft, and cannot easily
answer that question myself.


Thanks for your time, 
Mt.


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

[Emmanuel Bourg]

Hi Fabrice,

Thank you for the report. Do you know if there is a CVE ID assigned to
this vulnerability?

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857351: jabref: permissions of bib-file

[Martin Lutz]

Package: jabref
Version: 3.8.1+ds-3
Severity: minor

Dear Maintainer,

bib-files that are newly created in jabref have the permissions 777 (rwxrwxrwx).
Because these are pure text files, they should not be executable.

DEBUG_WRAPPER=1 jabref --debug

[debug] /usr/bin/jabref: Found JAVA_HOME = '/usr/lib/jvm/java-8-openjdk-amd64'
[debug] /usr/bin/jabref: Found JAVA_CMD = 
'/usr/lib/jvm/java-8-openjdk-amd64/bin/java'
[debug] /usr/bin/jabref: Environment variable CLASSPATH is ''
[debug] /usr/bin/jabref: Runnning /usr/lib/jvm/java-8-openjdk-amd64/bin/java  
-classpath 
/usr/share/java/jabref.jar:/usr/share/java/bcprov.jar:/usr/share/java/antlr3-runtime.jar:/usr/share/java/antlr4-runtime.jar:/usr/share/java/com.android.json.jar:/usr/share/java/commons-cli.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-lang3.jar:/usr/share/java/commons-logging.jar:/usr/share/java/fontbox.jar:/usr/share/java/glazedlists.jar:/usr/share/java/guava.jar:/usr/share/java/httpasyncclient.jar:/usr/share/java/httpclient.jar:/usr/share/java/httpcore.jar:/usr/share/java/httpcore-nio.jar:/usr/share/java/httpmime.jar:/usr/share/java/java-string-similarity.jar:/usr/share/java/jempbox.jar:/usr/share/java/jgoodies-common.jar:/usr/share/java/jgoodies-forms.jar:/usr/share/java/jgoodies-looks.jar:/usr/share/java/jhlabs-filters.jar:/usr/share/java/jsoup.jar:/usr/share/java/juh.jar:/usr/share/java/jurt.jar:/usr/share/java/log4j-api.jar:/usr/share/java/log4j-core.jar:/usr/share/j
 
ava/log4j-jcl.jar:/usr/share/java/microba.jar:/usr/share/java/mysql-connector-java.jar:/usr/share/java/pdfbox.jar:/usr/share/java/postgresql.jar:/usr/share/java/ridl.jar:/usr/share/java/spin.jar:/usr/share/java/swingx.jar:/usr/share/java/swing-layout.jar:/usr/share/java/unirest-java.jar:/usr/share/java/unoil.jar
 net.sf.jabref.JabRefMain --debug


dpkg -l "openjdk*"

||/ Name  Version   Architecture
  Description
+++-=-=-=-
un  openjdk-6-jre   
  (no description available)
un  openjdk-6-jre-headless  
  (no description available)
un  openjdk-7-jre   
  (no description available)
un  openjdk-7-jre-headless  
  (no description available)
ii  openjdk-8-jre:amd64   8u121-b13-3   amd64   
  OpenJDK Java runtime, using Hotspot JIT
ii  openjdk-8-jre-headless:amd64  8u121-b13-3   amd64   
  OpenJDK Java runtime, using Hotspot JIT (headless)





-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages jabref depends on:
ii  default-jre [java8-runtime] 2:1.8-58
ii  java-wrappers   0.1.28
ii  libandroid-json-java7.0.0+r3-1
ii  libantlr3-runtime-java  3.5.2-6
ii  libantlr4-runtime-java  4.5.3-1
ii  libbcprov-java  1.56-1
ii  libcommons-cli-java 1.3.1-3
ii  libcommons-lang3-java   3.5-1
ii  libcommons-logging-java 1.2-1
ii  libglazedlists-java 1.9.1-2
ii  libguava-java   19.0-1
ii  libhttpasyncclient-java 4.1.2-1
ii  libhttpclient-java  4.5.2-2
ii  libhttpmime-java4.5.2-2
ii  libjava-string-similarity-java  0.19-1
ii  libjempbox-java 1:1.8.12-1
ii  libjgoodies-common-java 1.8.1-2
ii  libjgoodies-forms-java  1.9.0-3
ii  libjgoodies-looks-java  2.7.0-2
ii  libjhlabs-filters-java  2.0.235-3
ii  libjsoup-java   1.10.2-1
ii  liblog4j2-java  2.7-1
ii  libmicroba-java 1:0.4.4.3-5
ii  libpdfbox-java  1:1.8.12-1
ii  libreoffice-java-common 1:5.2.5-2
ii  libspin-java1.5+dfsg-8
ii  libswing-layout-java1.0.4-4
ii  libswingx-java  1:1.6.2-2
ii  libunirest-java-java1.4.8-2
ii  openjdk-8-jre [java8-runtime]   8u121-b13-3

Versions of packages jabref recommends:
ii  libmysql-java5.1.40-1
ii  libpostgresql-jdbc-java  9.4.1212-1
ii  libreoffice-writer   1:5.2.5-2
ii  xdg-utils1.1.1-1

Versions of packages jabref suggests:
ii  evince [postscript-viewer]   3.22.1-3
ii  ghostscript [postscript-viewer]  9.20~dfsg-2
ii  gv [postscript-viewer]   1:3.7.4-1+b1
pn  xpdf | pdf-viewer

-- no debconf information

__
This is the maintainer address of Debian's Java team

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 857343 security
Bug #857343 [liblogback-java] liblogback-java: logback < 1.2.0 has a 
vulnerability in SocketServer and ServerSocketReceiver
Added tag(s) security.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

[Fabrice Dagorn]

CVE-2015-6420 is for Apache Commons, but this is the same issue.

Le 10/03/2017 à 10:15, Emmanuel Bourg a écrit :

Hi Fabrice,

Thank you for the report. Do you know if there is a CVE ID assigned to
this vulnerability?

Emmanuel Bourg



__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: (no subject)

[Fabrice Dagorn]

tags security

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

[Fabrice Dagorn]

Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch

Dear Maintainer,

logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.

I've prepared a patch for jessie.

Regards

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblogback-java depends on:
ii  libslf4j-java  1.7.7-1

liblogback-java recommends no packages.

Versions of packages liblogback-java suggests:
ii  glassfish-javaee  1:2.1.1-b31g+dfsg1-2
ii  libjanino-java2.7.0-2
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	1970-01-01 01:00:00.0 +0100
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	2017-03-04 15:39:00.0 +0100
@@ -0,0 +1,16 @@
+package ch.qos.logback.access.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import ch.qos.logback.access.spi.AccessEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedAccessEventInputStream extends HardenedObjectInputStream {
+
+public HardenedAccessEventInputStream(InputStream in) throws IOException {
+super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()});
+}
+
+}
+
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2013-09-07 12:44:46.0 +0200
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2017-03-05 15:09:48.0 +0100
@@ -15,7 +15,6 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.access.spi.AccessContext;
@@ -42,16 +41,15 @@
 
   Socket socket;
   AccessContext context;
-  ObjectInputStream ois;
+  HardenedAccessEventInputStream hardenedOIS;
 
   public SocketNode(Socket socket, AccessContext context) {
 this.socket = socket;
 this.context = context;
 try {
-  ois = new ObjectInputStream(new BufferedInputStream(socket
-  .getInputStream()));
+  hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream()));
 } catch (Exception e) {
-  System.out.println("Could not open ObjectInputStream to " + socket + e);
+  System.out.println("Could not open HardenedObjectInputStream to " + socket + e);
 }
   }
 
@@ -61,7 +59,7 @@
 try {
   while (true) {
 // read an event from the wire
-event = (IAccessEvent) ois.readObject();
+event = (IAccessEvent) hardenedOIS.readObject();
 //check that the event should be logged
 if (context.getFilterChainDecision(event) == FilterReply.DENY) {
   break;
@@ -81,7 +79,7 @@
 }
 
 try {
-  ois.close();
+  hardenedOIS.close();
 } catch (Exception e) {
   System.out.println("Could not close connection." + e);
 }
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	1970-01-01 01:00:00.0 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	2017-03-05 15:14:25.0 +0100
@@ -0,0 +1,57 @@
+package ch.qos.logback.classic.net.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.helpers.BasicMarker;
+
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ClassPackagingData;
+import ch.qos.logback.classic.spi.IThrowableProxy;
+import ch.qos.logback.classic.spi.LoggerContextVO;
+import ch.qos.logback.classic.spi.LoggerRemoteView;
+import ch.qos.logback.classic.spi.LoggingEventVO;
+import ch.qos.logback.classic.spi.StackTraceElementProxy;
+import