Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

[Moritz Mühlenhoff]

Hi,

I don't have much time to contribute to this discussion, but let
me make a few remarks. It may be useful to realign expectations
and to spend our resources more wisely.

On Mon, Dec 11, 2017 at 12:11:20PM +0100, Emmanuel Bourg wrote:
> Le 10/12/2017 à 15:38, Markus Koschany a écrit :
> 
> > We usually do support this use case. Take for example the recent
> > libpam4j update. No package in Debian is using it at the moment. The
> > whole purpose of this piece of software is authentication with PAM and
> > if you can circumvent the PAM auth mechanism, then it is obviously
> > broken, in a very bad way.
> 
> IMHO patching libpam4j in the stable releases was a waste of time (and
> sponsor money as far as Debian LTS is concerned) since it is totally
> unused (the popcon isn't above the noise level).

Then we should remove it from the archive.

But as long as it is present in the archive it is covered by security
support and severe vulnerabilities get fixed in security updates independant
of the popcon size (if a PAM module fails to validate access that's severe
even if only a handful of users are affected).

> > Yes, Java developers download their libraries from Maven Central and
> > bundle everything. But how can you be so sure that someone is not using
> > Debian libraries in production because they are stable and receive
> > security support?
> 
> We can never be sure someone isn't doing something silly with our
> packages, but that's not a reason for supporting them either. We already
> struggle to support the latest versions of Java, if we get distracted by
> fixing unused features in barely used packages we delay expected changes
> in more important packages, this is also a disservice to our users.

Well, there are certainly such installations. E.g. at work our release
engineering team operates Gerrit (which is not packaged in Debian), but they 
still
made sure to make that installation use the Debian packages of Bouncycastle
and libmysql-java (so that those can upgraded via the distro in case of
security issues).

> - Level 1: Unsupported. The package is available as a convenience for
> building other packages. Use it at your own risk. Contributions to
> improve its support are kindly accepted.

We have a very narrow selected set of unsupported packages, but we generally
try to keep it minimal. If there are Java packages which are entirely limited
to being build deps for an actual program, we can mark them as unsupported
by adding a README.Debian.security file which describes the status quo
and add those packages to "debian-security-support" (which allows admins
to detect such packages).

If the Java maintainers can agree on a list, let's do that for buster?

> > Jasperreports has lots of dependencies. My first thought was to backport
> > the latest upstream release but this would probably require other
> > backports.
> 
> I upgraded the package to the version 6.3.1 and it didn't require new
> dependencies. Backporting it to stretch may not be that difficult.

My problem with that is rather the uncooperative upstream (if that's
actually the case and not just a communication problem!), if an upstream
doesn't want to work with us and tell us details of security issues, this
makes those package unsuitable for a Debian stable release. We've dropped
virtualbox and mysql for that reason and OpenJDK is somewhat special since
Oracle are a little more open there than usual (also due to IcedTea).

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

[Moritz Mühlenhoff]

On Sat, Dec 09, 2017 at 11:43:38PM +0100, Emmanuel Bourg wrote:
> Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit :
> 
> > I'd say let's kick it out, then. We have a build dependency (and run time
> > dependencies) on libspring-java, can we axe it out there?
> 
> jasperreports is just a build dependency of some unused parts of
> libspring-java. No application in Debian needs it at run time. So these
> vulnerabilities can be safely ignored in the stable releases.

Yeah, but libspring-java is not the issue here, it's jasperreports:
We ship a jasperreports package of an uncooperative upstream which
would need to see full backports across all supported suites since
they don't tell us how to fix this with backports (or actually any
vulnerability information).

Cheers,
   Moritz

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

[Moritz Mühlenhoff]

On Wed, Nov 01, 2017 at 08:42:43PM +0100, Markus Koschany wrote:
> Short update:
> 
> One staff member told me that my options are to read the advisories,
> which don't contain any detailed information or patches, or, if I have a
> commercial license, to contact support. Great, let's buy a license to
> get more information about security bugs.

WTF

> So far the only viable option would be to upgrade to the latest upstream
> release and backport that to Wheezy, Jessie and Stretch as well but I'm
> not thrilled to maintain another Oracle-like Java package when it comes
> to security bugs.

I'd say let's kick it out, then. We have a build dependency (and run time
dependencies) on libspring-java, can we axe it out there?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

[Moritz Mühlenhoff]

On Mon, Oct 02, 2017 at 05:09:29PM +0200, Emmanuel Bourg wrote:
> Le 2/10/2017 à 15:08, Moritz Muehlenhoff a écrit :
> 
> > Java maintainers, shall we follow the procedures for openjdk and
> > rebase to a new upstream release in stretch?
> 
> Yes please, that's the only sustainable solution for openjfx. I'll
> prepare the update for unstable first and I'll let you know when I'm
> ready for a stable-security update.

Ok, sounds good.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793492: Bug#814176: azureus: (Build-)Depends on OpenJDK 7

[Moritz Mühlenhoff]

On Wed, Mar 09, 2016 at 09:10:50PM +0100, Markus Koschany wrote:
> Am 09.03.2016 um 20:53 schrieb Stephen Nelson:
> > 
> > On Wed, Mar 9, 2016 at 4:03 PM Markus Koschany  > > wrote:
> > 
> > 
> > This issue is fixed in Git but Stephen Nelson wanted to ask upstream for
> > some license clarifications. Unfortunately we haven't heard back  from
> > him since August 2015.
> > 
> > https://lists.debian.org/debian-java/2015/08/msg00029.html
> > 
> > 
> > Hi Markus
> > 
> > I did contact upstream [1] but they never replied. I'm not a user of the
> > software but was trying to keep it in Debian.
> > 
> > [1] http://forum.vuze.com/Thread-Incompatible-licence-issue
> 
> Hi Stephen,
> 
> thanks for the link. I would also like to keep Azureus in Debian but I'm
> also not a user. We need someone who updates Azureus from time to time
> and we need a clarification from upstream. If they are not interested in
> making a simple statement about licenses, it's probably not worth the
> effort to continue packaging Azureus.
> 
> *Just my opinion. Volunteers are always welcome*

1.5 years later this hasn't changed, shall we now drop it?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

[Moritz Mühlenhoff]

retitle 864405 undertow: CVE-2016-2666 CVE-2016-2670
thx

Moritz Muehlenhoff wrote:
> 
> There's no other reference that what Red Hat published here:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666

Also:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2670
 
Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#863811: CVE-2017-5637

[Moritz Mühlenhoff]

On Thu, Jun 01, 2017 at 08:17:21AM -0700, tony mancill wrote:
> On Wed, May 31, 2017 at 02:45:18PM +0200, Moritz Muehlenhoff wrote:
> > Source: zookeeper
> > Severity: grave
> > Tags: security
> > 
> > Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> > 
> > Fix is referenced here: https://github.com/apache/zookeeper/pull/183
> > 
> > I'm also attaching the debdiff I'll be using for jessie for reference.
> 
> Hello Moritz,
> 
> Thank you (as always) for your work on security.  I can prepare the
> upload to unstable.  Do you have a recommendation for how we should
> approach the fix in stretch given the timing of the release?  Should the
> upload perhaps be prepared for stretch-security?

I think it's best if you prepare a 3.4.9-3 upload with only the security
fix and ask for an unblock by filing a bug against release.debian.org

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Moritz Mühlenhoff]

On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> Hi,
> 
> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> the issue is related to our latest security updates. We would like to
> address this regression as soon as possible because this one can be
> triggered remotely and cause a denial-of-service.
> 
> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> will update the changelogs later.

Thanks, please upload.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#819259: Don't include in stretch

[Moritz Mühlenhoff]

On Fri, Mar 25, 2016 at 06:14:35PM +0100, Emmanuel Bourg wrote:
> Le 25/03/2016 18:07, Moritz Muehlenhoff a écrit :
> 
> > stretch should only provide one version of Tomcat.
> 
> I agree, however like tomcat6 we'll keep the src:tomcat7 package to
> build the Servlet API only (libservlet3.0-java). I plan to do this a
> couple of months before the freeze.

Ack, that's totally fine. That bug just applies to the full server
stack package.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#792857: CVE-2014-3576

[Moritz Mühlenhoff]

On Wed, Jul 22, 2015 at 03:24:45PM +0200, Emmanuel Bourg wrote:
 The fix has been confirmed by an upstream developer:
 
 http://mail-archives.apache.org/mod_mbox/activemq-dev/201507.mbox/%3CCAKChZ-TruL3Sm3GW9B3Nr1L3fsxDH_X95rGhm85rfXh9_zVJfg%40mail.gmail.com%3E

Could you prepare updated packages for oldstable-security and
stable-security?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#788471: elasticsearch: CVE-2015-4165: unspecified arbitrary files modification vulnerability

[Moritz Mühlenhoff]

On Sun, Jun 21, 2015 at 02:56:36PM +0200, Hilko Bengen wrote:
 * Salvatore Bonaccorso:
 
  Did you had a chance to get more details on it?
 
 ,[ http://seclists.org/bugtraq/2015/Jun/53 ]
 | Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered
 | attack on other applications on the system. The snapshot API may be used
 | indirectly to place snapshot metadata files into locations that are
 | writeable by the user running the Elasticsearch process. It is possible
 | to create a file that another application could read and take action on,
 | such as code execution.
 `
 
 Looking at upstream's commits leading to 1.6.0, this seems like a
 candidate:
 
 ,
 | commit dedbe528d5da95fdb6cccd1d0483aa0ca2c07563
 | Author: jaymode jay.m...@elasticsearch.com
 | Date:   Fri May 29 11:14:46 2015 -0400
 | 
 | Snapshot/Restore: fix check for locations in a repository path
 | 
 | Currently, when trying to determine if a location is within one of the 
 configured repository
 | paths, we compare a canonical path against an absolute path. These are 
 not always
 | equivalent and this check will fail even when the same directory is 
 used. This changes
 | the logic to to follow that of master, where we use normalized absolute 
 path comparisons. A
 | test has been added that failed with the old code and now passes with 
 the updated method.
 `

That seems plausible, yes.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 DSA for wheezy

[Moritz Mühlenhoff]

On Mon, Apr 27, 2015 at 06:30:20PM +0200, Holger Levsen wrote:
 Hi,
 
 sorry, this somehow slipped through...
 
 On Samstag, 17. Januar 2015, Moritz Mühlenhoff wrote:
  On Tue, Dec 30, 2014 at 02:04:57PM +0100, Holger Levsen wrote:
   On Dienstag, 30. Dezember 2014, Moritz Mühlenhoff wrote:
Do we also need to update tomcat-native in wheezy or is 1.1.24 from
wheezy sufficient?
   we also need to update tomcat-native, I have that prepared as well...
  Ok.
  Can you please upload tomcat6 and tomcat-native to security-master?
 
 I assume this is still due, so I will do so in the next days. (Unless you 
 reply differently..)

Please go ahead.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#774050: CVE-2014-9390

[Moritz Mühlenhoff]

On Tue, Dec 30, 2014 at 08:13:08AM -0800, tony mancill wrote:
 On 12/30/2014 05:18 AM, Emmanuel Bourg wrote:
  Here are the relevant commits to backport:
  
  Always ignore case when forbidding .git in ObjectChecker
  https://github.com/eclipse/jgit/commit/07612a6
  
  Disallow .git. and .gitspace
  https://github.com/eclipse/jgit/commit/10310bf
  
  Disallow Windows shortname GIT~1
  https://github.com/eclipse/jgit/commit/a09b1b6
  
  Disallow names potentially mapping to .git on HFS+
  https://github.com/eclipse/jgit/commit/d476d2f
 
 I spent some time looking at this too, but from the perspective of what
 upstream release branches have these commits.
 
 They are on stable-3.4, which is version 3.4.2 (and is the closest to
 3.4.0, which is what we have in jessie/sid), but upstream didn't apply
 them to stable-2.0 (wheezy).  So I think the patches will need to be
 cherry-picked or hand-applied to our source versions.
 
 We'll also need to create security-${RELEASE} branches in the pkg-java
 repo for this, as 3.5.2 has already been staged on master.
 
 I do wonder how many of our users are running case-insensitive file
 systems though...

Can we please get that fixed in jessie?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

[Moritz Mühlenhoff]

On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
 Hi,
 
 On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
  On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
   Is there an example available somewhere of a subject improperly parsed
   by commons-httpclient/3.1-10.2? This would help backporting the fix to
   this version.
  
  I think this is already fixed in 3.1-10.2, see the Red Hat bug as
  reference and See https://bugs.debian.org/692442#56 and and following
  mails.
 
 I don't understand this from those mails. On the contrary, RedHat
 did update their packages with a new patch on top of the former
 patch:
 https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
 
 And the Debian package still have the old version of getCN().

What's the status? Can we get that fixed for jessie?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: tomcat6 DSA for wheezy

[Moritz Mühlenhoff]

On Mon, Dec 15, 2014 at 04:23:30PM +0100, Holger Levsen wrote:
 Hi,

 This update itself fixes no security issues but is needed for libtcnative-1 
 users as version 1.1.20 from Squeeze does not work with tomcat6 6.0.41 from 
 Squeeze LTS.

Do we also need to update tomcat-native in wheezy or is 1.1.24 from wheezy
sufficient?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758516: Struts 1.2 should not be shipped with jessie

[Moritz Mühlenhoff]

On Wed, Sep 17, 2014 at 01:50:36PM +0200, Emmanuel Bourg wrote:
 Le 17/09/2014 12:57, Moritz Muehlenhoff a écrit :
 
  That's not how we handle in Debian: If a library is shipped in Debian,
  it is fully supported to be used by local libs. 
  
  Anything in /usr/local or installed through Maven is of course the 
  responsibility
  of the user.
  
  So we should go ahead with the removal of struts 1.2 by filing RC bugs 
  against
  the packages using it.
 
 Well that's sad because this is really a waste of time and our resources
 are desperately limited :( libstruts1.2-java is not a security threat as
 used by the other Debian libraries and applications, and upstream even
 provided a patch for CVE-2014-0114 [1][2] despite the EOL. I'd rather
 spend this time on other important issues.

Would it help if I upload NMUs for libspring-java and easyconf?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758516: Struts 1.2 should not be shipped with jessie

[Moritz Mühlenhoff]

On Fri, Sep 12, 2014 at 11:34:31PM +0200, Emmanuel Bourg wrote:
 Looking at the reverse dependencies of libstruts1.2-java, it seems it
 isn't much used. There are:
 - src:libspring-java, it builds libspring-web-struts-java which isn't used.
 - src:easyconf, it builds libeasyconf-java with a suggested dependency
 on libstruts1.2-java and it isn't used.

Then it should be easy to remove?
 
 In my opinion there is no harm keeping libstruts1.2-java in Jessie as a
 convenience for packaging other libraries, it's never executed as part
 of an application in the end (there is no Struts based web application
 in Debian).

Well, but if we keep old, unsupported libs around, people might be exposed
by running code not shipped in Debian, but using these libraries.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#686867: jruby: CVE-2011-4838

[Moritz Mühlenhoff]

tags 686867 patch
thanks

On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote:
 Package: jruby
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Hi,
 jruby in Wheezy is still affected by 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838   
  
 http://www.nruns.com/_downloads/advisory28122011.pdf  
 
 Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?

Wheezy has 1.5.6, not 1.6.5.

Anyway, I've extracted the patch, it's attached.

Cheers,
Moritz
diff -Naur jruby-1.6.5/src/org/jruby/RubyHash.java jruby-1.6.5.1/src/org/jruby/RubyHash.java
--- jruby-1.6.5/src/org/jruby/RubyHash.java	2011-10-25 16:54:53.0 +0200
+++ jruby-1.6.5.1/src/org/jruby/RubyHash.java	2011-12-27 20:04:20.0 +0100
@@ -824,7 +824,7 @@
 oldTable[j] = null;
 while (entry != null) {
 RubyHashEntry next = entry.next;
-entry.hash = entry.key.hashCode(); // update the hash value
+entry.hash = hashValue(entry.key.hashCode()); // update the hash value
 int i = bucketIndex(entry.hash, newTable.length);
 entry.next = newTable[i];
 newTable[i] = entry;
diff -Naur jruby-1.6.5/src/org/jruby/Ruby.java jruby-1.6.5.1/src/org/jruby/Ruby.java
--- jruby-1.6.5/src/org/jruby/Ruby.java	2011-10-25 16:54:53.0 +0200
+++ jruby-1.6.5.1/src/org/jruby/Ruby.java	2011-12-27 20:04:20.0 +0100
@@ -291,6 +291,8 @@
 this.beanManager= BeanManagerFactory.create(this, config.isManagementEnabled());
 this.jitCompiler= new JITCompiler(this);
 this.parserStats= new ParserStats(this);
+
+	this.hashSeed = this.random.nextInt();
 
 this.beanManager.register(new Config(this));
 this.beanManager.register(parserStats);
@@ -3929,6 +3931,10 @@
 public boolean isBooting() {
 return booting;
 }
+
+public int getHashSeed() {
+return hashSeed;
+}
 
 public CoverageData getCoverageData() {
 return coverageData;
@@ -3946,6 +3952,8 @@
 private long randomSeed = 0;
 private long randomSeedSequence = 0;
 private Random random = new Random();
+/** The runtime-local seed for hash randomization */
+private int hashSeed = 0;
 
 private final ListEventHook eventHooks = new VectorEventHook();
 private boolean hasEventHooks;  
diff -Naur jruby-1.6.5/src/org/jruby/RubyString.java jruby-1.6.5.1/src/org/jruby/RubyString.java
--- jruby-1.6.5/src/org/jruby/RubyString.java	2011-10-25 16:54:54.0 +0200
+++ jruby-1.6.5.1/src/org/jruby/RubyString.java	2011-12-27 20:04:21.0 +0100
@@ -93,6 +93,7 @@
 import org.jruby.runtime.marshal.UnmarshalStream;
 import org.jruby.util.ByteList;
 import org.jruby.util.ConvertBytes;
+import org.jruby.util.MurmurHash;
 import org.jruby.util.Numeric;
 import org.jruby.util.Pack;
 import org.jruby.util.RegexpOptions;
@@ -1145,11 +1146,11 @@
 }
 
 private int strHashCode(Ruby runtime) {
+int hash = MurmurHash.hash32(value.getUnsafeBytes(), value.getBegin(), value.getRealSize(), runtime.getHashSeed());
 if (runtime.is1_9()) {
-return value.hashCode() ^ (value.getEncoding().isAsciiCompatible()  scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
-} else {
-return value.hashCode();
+hash ^= (value.getEncoding().isAsciiCompatible()  scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
 }
+return hash;
 }
 
 @Override
diff -Naur jruby-1.6.5/src/org/jruby/util/MurmurHash.java jruby-1.6.5.1/src/org/jruby/util/MurmurHash.java
--- jruby-1.6.5/src/org/jruby/util/MurmurHash.java	1970-01-01 01:00:00.0 +0100
+++ jruby-1.6.5.1/src/org/jruby/util/MurmurHash.java	2011-12-27 20:04:21.0 +0100
@@ -0,0 +1,62 @@
+package org.jruby.util;
+
+public class MurmurHash {
+// Based on Murmurhash 2.0 Java port at http://dmy999.com/article/50/murmurhash-2-java-port
+// 2011-12-05: Modified by Hiroshi Nakamura n...@ruby-lang.org
+// - signature change to use offset
+//   hash(byte[] data, int seed) to hash(byte[] src, int offset, int length, int seed)
+// - extract 'm' and 'r' as murmurhash2.0 constants
+
+// Ported by Derek Young from the C version (specifically the endian-neutral
+// version) from:
+//   http://murmurhash.googlepages.com/
+//
+// released to the public domain - dmy...@gmail.com
+
+// 'm' and 'r' are mixing constants generated offline.
+// They're not really 'magic', they just happen to work well.
+private static final int MURMUR2_MAGIC = 0x5bd1e995;
+// CRuby 1.9 uses 16 but original C++ implementation uses 24 with above Magic.
+private static final int 

Bug#677814: Bug#670901: Spring: Multiple security issues

[Moritz Mühlenhoff]

On Sonntag, 17. Juni 2012 01:27:14 Damien Raude-Morvan wrote:
 Hi Moritz,
 
 Le lundi 30 avril 2012 09:55:39, Moritz Muehlenhoff a écrit :
  CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or
  reassign as needed.
 
 I've prepared an upload of libspring-2.5-java  for squeeze to fix
 CVE-2011-2730. You can find it on
 http://people.debian.org/~drazzib/security/
 
 Could you please review it ?

Please direct this to t...@security.debian.org

Thanks!

Cheers,
Moritz
-- 
Moritz Mühlenhoff muehlenh...@univention.de
Open Source Software Engineer
Univention GmbH  be open.fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen  fax: +49 421 22 232-99
http://www.univention.de



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#611130: CVE-2010-2087

[Moritz Mühlenhoff]

On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote:
 On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
 #tag 611130 + idontgiveadamn
 tag 611130 + moreinfo
 kthxbye
 
 Upstream doesn't answer any request about this bug.
 
 I sent emails, I posted in their discussion forum and even joined their
 irc channel to ask a couple of question about this bug. I didn't receive
 any answer, I can say I was completely ignored.
 
 There is no info at Mitre website and AFAIK this issue is not fixed in
 any other free software distribution.
 
 I don't have time neither interest on this, good luck to anybody
 interested in fixing this bug. Be aware of uncooperative upstream.
 
 Given this, this package looks like a prime candidate for removal from
 the archive to be honest. Thoughts?

I concur, but libspring build-depends on it, something which needs to
be addressed somehow.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#667000: Rebuilding objenesis from source makes mockito FTBFS

[Moritz Mühlenhoff]

On Dienstag, 3. April 2012 12:06:38 Moritz Muehlenhoff wrote:
 Package: objenesis
 Version: 1.2+full-1
 Severity: serious
 
 
 Diffing the file lists between the version in the archive and the
 rebuilt version shows that these files are missing after the rebuild:
 
 /usr/share/java/objenesis-1.2.jar
 /usr/share/java/objenesis.jar

Attached patch fixes this, I'd appreciate some review from someone with more 
Java packaging foo, though.

Cheers,
Moritz
-- 
Moritz Mühlenhoff muehlenh...@univention.de
Open Source Software Engineer
Univention GmbH  Linux for Your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen  fax: +49 421 22 232-99
http://www.univention.de
UCS Bug #26186
Debian Bug #667000

diff -aur objenesis-1.2+full.orig/debian/libobjenesis-java.poms objenesis-1.2+full/debian/libobjenesis-java.poms
--- objenesis-1.2+full.orig/debian/libobjenesis-java.poms	2011-09-18 22:00:33.0 +0200
+++ objenesis-1.2+full/debian/libobjenesis-java.poms	2012-03-19 19:07:36.0 +0100
@@ -23,5 +23,6 @@
 #   --ignore-pom: don't install the POM with mh_install or mh_installpoms. To use with POM files that are created
 # temporarily for certain artifacts such as Javadoc jars.
 #
-pom.xml --has-package-version
-main/pom.xml --has-package-version
+pom.xml --has-package-version --java-lib
+main/pom.xml --has-package-version --java-lib
+

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#662789: sisu-ioc: Fix FTBFS and ensure jar's installed to /usr/share/java

[Moritz Mühlenhoff]

severity 662789 serious
thanks

On Dienstag, 6. März 2012 13:23:42 James Page wrote:
 Package: sisu-ioc
 Version: 2.3.0-2
 Severity: normal
 Tags: patch
 User: ubuntu-de...@lists.ubuntu.com
 Usertags: origin-ubuntu precise ubuntu-patch
 
 Dear Maintainer,
 
 In Ubuntu, the attached patch was applied to achieve the following:
 
   * Fix FTBFS (LP: #935445):
 - d/maven.rules: Map plexus-component-annotations to version 1.5.5.
   * d/libsisu-ioc-java.poms: Added --java-lib to ensure jar files still get
 installed to /usr/share/java.
 
 The latest version of libplexus-containers1.5-java does not create 1.5.x
 symbolic links causing a FTBFS with this package - an exact version match
 is now required.
 
 Also the default behaviour of maven-debian-helper has changed so I also
 added a fix to ensure jars are still installed in /usr/share/java.
 
 Thanks for considering the patch.

sisu-ioc currently fails to build from source in sid, raising severity:

[ERROR] BUILD ERROR
[INFO] 

[INFO] Failed to resolve artifact.

Missing:
--
1) org.codehaus.plexus:plexus-component-annotations:jar:1.5.x

  Try downloading the file manually from the project website.

  Then, install it using the command: 
  mvn install:install-file -DgroupId=org.codehaus.plexus -
DartifactId=plexus-component-annotations -Dversion=1.5.x -Dpackaging=jar -
Dfile=/path/to/file

  Alternatively, if you host your own repository you can deploy the file there: 
  mvn deploy:deploy-file -DgroupId=org.codehaus.plexus -DartifactId=plexus-
component-annotations -Dversion=1.5.x -Dpackaging=jar -Dfile=/path/to/file -
Durl=[url] -DrepositoryId=[id]

  Path to dependency: 
1) org.sonatype.sisu.inject:guice-plexus-metadata:jar:2.3.0
2) org.codehaus.plexus:plexus-component-annotations:jar:1.5.x

--
1 required artifact is missing.

for artifact: 
  org.sonatype.sisu.inject:guice-plexus-metadata:jar:2.3.0

from the specified remote repositories:
  central (http://repo1.maven.org/maven2)



NOTE: Maven is executing in offline mode. Any artifacts not already in your 
local
repository will be inaccessible.


[INFO] 

[INFO] For more information, run Maven with the -e switch
[INFO] 

[INFO] Total time: 35 seconds
[INFO] Finished at: Tue Mar 06 19:22:13 CET 2012
[INFO] Final Memory: 36M/86M
[INFO] 

make: *** [mvn-build] Error 1
dpkg-buildpackage: error: debian/rules build gave error exit status 2


-- 
Moritz Mühlenhoff muehlenh...@univention.de
Open Source Software Engineer and Consultant
Univention GmbH  Linux for Your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen  fax: +49 421 22 232-99
http://www.univention.de



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#657870: Multiple issues in Struts

[Moritz Mühlenhoff]

On Tue, Feb 21, 2012 at 12:53:47AM +0100, Damien Raude-Morvan wrote:
 Hi Moritz,
 
 Le jeudi 16 février 2012 19:42:09, Damien Raude-Morvan a écrit :
  On 09/02/2012 21:16, Moritz Mühlenhoff wrote:
   There's a new issues, which affects 1.x:
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007
  
   From [1], it seems there is no actual fix for this issue :(
  I'll contact Struts Security Team on this matter.
 
 Okay, I got some feedback for Struts Security Team.
 
 This particular security issue doesn't affect Struts as binary library (ie. 
 /usr/share/java/struts-1.2.jar is unaffected) but concern only samples 
 provided 
 as source is /usr/share/doc/libstruts1.2-java/example*
 
 Do you think we should provide an updated package for squeeze (I think we can 
 just drop examples) ?

It's just an example we don't need a DSA. You can fix it through a stable
update for Squeeze, though.

Cheers,
Moritz 



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#657870: Multiple issues in Struts

[Moritz Mühlenhoff]

On Wed, Feb 01, 2012 at 10:46:51PM -0800, tony mancill wrote:
 On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote:
  Package: libstruts1.2-java
  Severity: grave
  Tags: security
  
  Hi,
  several vulnerabilities have been reported against Struts:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057
  
  The version is Debian seems ancient and unmaintained, can you
  please check, whether an update is needed?
 
 The CVEs listed all explicitly reference Struts 2, and so I believe
 would only be applicable if Debian included a libstruts-2.x package.

OK, I've updated the Security Tracker.
 
 There are (3) rdepends of the libstrut1.2-java package.  It might be
 possible to migrate them to the latest upstream Struts 1 release, which
 is 1.3.10. However, there haven't been any 1.x upstream releases in over
 3 years.

There's a new issues, which affects 1.x:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Tomcat for Squeeze

[Moritz Mühlenhoff]

On Thu, Jan 05, 2012 at 02:53:41PM -0430, Miguel Landaeta wrote:
 On Thu, Jan 5, 2012 at 1:43 PM, Moritz Muehlenhoff j...@inutil.org wrote:
  currently there's Tomcat 6 and Tomcat 7 in Wheezy. Will 6 be dropped
  before the Wheezy relese? It would be good to only have one version
  in Wheezy.
 
 I agree with this, I think the team should not commit to several years
 more of tomcat6 maintenance.
 
 What do you think?

I agree that only having tomcat7 is the proper way forward for Wheezy.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#645881: critical update 29 available

[Moritz Mühlenhoff]

On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote:
 * Moritz Mühlenhoff:
 
  Florian, what's the status of openjdk6 for stable/oldstable?
 
 I've released the pending update for squeeze.  lenny will eventually
 follow, and so will the pending updates for squeeze, but judging by my
 past performance, it will take a while.
 
 If someone else wants to work on these updates, I'll gladly share what
 I've learnt about the packaging.

OpenJDK maintainers, can you take care of preparing security updates
in the future? We need maintainer support, especially for such
intricate packages with frequent security issues.

Since openjdk-6 is fixed now, now would be a good time to remove
sun-java6 from stable in the next point update?

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#645881: critical update 29 available

[Moritz Mühlenhoff]

On Fri, Oct 21, 2011 at 11:07:30AM +0200, Florian Weimer wrote:
 * Moritz Muehlenhoff:
 
  As for stable/oldstable: I noticed that Red Hat provided packages for
  update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): 
  http://lwn.net/Articles/463919/
 
 If anyone remembers the rationale behind the DLJ, perhaps they can
 check if the current BCL matches our needs, too?  The licensing
 conditions for the stock JDK distribution probably have changed since
 the Oracle acquisition, and perhaps these changes are sufficient to
 permit redistribution by Debian.
 
 I have also uploaded the fixes for openjdk-6 to security-master (for
 squeeze).  It's currently stuck in the unchecked queue, along with the
 still-missing previous update for lenny.

Florian, what's the status of openjdk6 for stable/oldstable?

Java maintainers, shall we proceed with removal from stable/oldstable for the 
next
point releases? sun-java6 will still be kept on existing installations,
but we avoid new installations with the insecure JVM.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#611130: CVE-2010-2087

[Moritz Mühlenhoff]

On Thu, Jan 27, 2011 at 09:53:10AM -0430, Miguel Landaeta wrote:
 On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 
  Please get in touch with upstream, whether this has been addressed.
 
 I just notified upstream to take a look at this
 and I'm waiting for their reply.

What's the result?

Cheers,
Moritz 



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#611138: CVE-2010-4438

[Moritz Mühlenhoff]

On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote:
 Hi,
 
 Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit :
  See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
  
  Please get in touch with Oracle to check, what unspecified
  vulnerability they fixed...
 
 From CVE abstract :
 
 Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message 
 Service (JMS)' sub-component that may allow a local attacker to have a 
 partial 
 affect on integrity and confidentiality and cause a denial of service. No 
 further details have been provided. 
 
 
 As we hardly build any real Glassfish Server but just some parts of API 
 library from Java EE specifications.
 FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and 
 don't have any implementations of a JMS server.
 
 So I don't think Debian package is affected by this issue, but we'll have to 
 wait until Oracle/Glassfish team publish some source code to confirm ths.

Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't
aware that the Debian Glassfish package doesn't provide the full stack.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.