from:"Moritz Muehlenhoff"

Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

2018-03-30 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 21 Mar 2018 18:26:19 +0100
Source: plexus-utils2
Binary: libplexus-utils2-java libplexus-utils2-java-doc
Architecture: source all
Version: 3.0.15-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils2-java - utilities for the Plexus framework
 libplexus-utils2-java-doc - utilities for the Plexus framework - documentation
Changes:
 plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 e1b1ffb4844c2d45e6365fa3264b38a9c65df9ce 2292 plexus-utils2_3.0.15-1+deb8u1.dsc
 1804a25bcb5cb84e8c83b6a737e9ebe86fb088a7 243662 
plexus-utils2_3.0.15.orig.tar.gz
 b9f76a8f66d7af673a6304b3450ab7c9388cc36d 9384 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 f989d15410e42bd4cd6bb771886d6e55ffd87620 228716 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 fe13ebc5baa981a0d2eb6c579de665272dcdb796 641100 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb
Checksums-Sha256:
 b426421211c5a2fb4bad808c2777859ec9b37697888436dc86b0e2fd46f6fe8c 2292 
plexus-utils2_3.0.15-1+deb8u1.dsc
 aaf9276befafc8f3181d4fa180d4fb5544e846d08b3508443d256f6646ed1d6d 243662 
plexus-utils2_3.0.15.orig.tar.gz
 34a32286ceeb10c578520b75ee2aaf1a4b77670dccc29f46b0b6dc8f6789a40a 9384 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 52b857850a4844e3d49b2c5366db70f9984246c51a21e6bec94896477cc7578c 228716 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 81eba0b11985f9f2910ce70fe1af174d4c270454d6de214d34b2383240c966fc 641100 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb
Files:
 122b1ff25d089b9591b5b066f4210b49 2292 java optional 
plexus-utils2_3.0.15-1+deb8u1.dsc
 83badf30abf98e8f5811c4cfd26189f4 243662 java optional 
plexus-utils2_3.0.15.orig.tar.gz
 4d73192079d9d0a63390326e897dfa08 9384 java optional 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 6101d49c70a5955380011d4549230ce4 228716 java optional 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 6c9d3e9284e9ae6a5125e4440ac89607 641100 doc optional 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqyluoACgkQEMKTtsN8
TjZ8hw//df8tLptL53AIzU7f1Wd3ZL3R4M0Vklt5mh+dBvijq6hXbe9UntI2e0VM
y+k8UU/8OmBwcHBJvj6rFA6v4rZFVW8pLa7vXYc7jofOG+7Yj6ClZPFc8F4UUjei
sYM7jv3B5gdM3r/Pz5hWjdacYNyLqpF4Sz9hd3/ip5ZkvGn4q/MB4upGAph12FEE
3C+hoctlJ4XEIWyM+y3xXkEmIGlAo+0gT3bhkLev1pL+p4Gx4UGlt+qnizqFZR0n
f8HFjHSkL61QMDW3/YHTEiJjf9jLFPyXfMH6ry1mu5FljlXS9/G2+5xCEOR2mDiC
ZKmjqkM6kNNIkbX1NNZQD2cVuWC2TrIByl4OM2hHrM7uCFangpck/obwSusPXNe3
SPBZNVQAeUQ1eReFX/OJSbeYlyC8p3rOA/OeZpNYr1TZ/eLvBfMBwoYsFiv0XuTL
Nu8cHeKLqmsxVKZdSJUfioMENoK/xkj01VDeUij/Y11tYSOKbLM+9/P7qhgotv/Q
d07Sk2sz3wowEbolrsalpea2xvHXm7mj4xpLLWE+f3iNmLagX66HQSsQDcdHjJ9l
ZCjLpTa9+clRFd2+pX/FuQF5utL3Vj/wooqG/V8z+k8dqRi7Se1XGZK/q6y/LifG
koqjxIYeQqpsQCIQ3o698dmWES4pUg+XRcwfUc9KF18AqgioOLc=
=axTB
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

2018-03-30 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 19 Mar 2018 21:35:42 +0100
Source: plexus-utils
Binary: libplexus-utils-java libplexus-utils-java-doc
Architecture: source all
Version: 1:1.5.15-4+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils-java - utilities for the Plexus framework
 libplexus-utils-java-doc - API Documentation for plexus-utils
Changes:
 plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 997574f3209b1b936a6dda501cee39f3e7349b5f 2283 plexus-utils_1.5.15-4+deb8u1.dsc
 c728692c2ac5644b632e8f4493a17e502a40f5b0 239818 plexus-utils_1.5.15.orig.tar.gz
 d774e4125f42fdd4d353bc73625cc3dbbfa666a9 10076 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 5b88aa75d976827dbdfbc160417085b8e2be8931 208174 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 61006e1cde56f534d109e2c91be3582e2d86b1e7 168970 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb
Checksums-Sha256:
 80493762ddbd29cdf023c66f729fc3a11a8a47aad0d8a223a5c910a47a9ed3a0 2283 
plexus-utils_1.5.15-4+deb8u1.dsc
 04adddabece51dce3b8e86b14ab606a551bd16cc4383a506bf339046416a3ad9 239818 
plexus-utils_1.5.15.orig.tar.gz
 8ab67ce60225bfd0b9631232d3a80c6144484498b41f5b5c85265be2d1fa1474 10076 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 f76ee0652967df1b1f30c6025cd703ea4979e93d1efc2890d09af5d302d7ccb3 208174 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 4177f7889283c13d2b1496a02885b35a589d15638230709362aa89d794f41d4b 168970 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb
Files:
 71b57f220651de3cb52177cef1857dc5 2283 java optional 
plexus-utils_1.5.15-4+deb8u1.dsc
 782489e4817b48dfdb86736b6b6f 239818 java optional 
plexus-utils_1.5.15.orig.tar.gz
 79e33fc98caa35af32b55abfae05c409 10076 java optional 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 d33efdeb0c5f5bfc837b1efb5335f4c6 208174 java optional 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 c5285c50370905000fa0a0be4059c317 168970 doc optional 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqwIAUACgkQEMKTtsN8
TjaeCw/9Gzx6gs/GYDLAq1XFz0zYz2togp00Oe02TanOmX5fIKGCCC3ywYB4lR28
EJvY366cOP+SLw+KmqExcLnUbOCpQGdw7Zoax22nOzLFQe7fOPO+4lEE0f0JHSnT
cglkP4s3+M12djZxtJR52mMokhA30T6Oii7uxhf6IbbnLnAgKQHAut5nZDYtjjGW
DiYLIvLXTqFLIOmV9Iivp5HswAXAI+N0qQctDCUJA9Yq5OKqIjrZxwUzbjIq8rNM
JOPMC4X18aHuf0wRM8AgCsM+Qc7l2jHpgNmjaDaoOxHF4F2+X1Q5A0ZjYheZF+QL
06a5zNABJLXm0NQ1ykESE92RUrmtiYeLy03Bkt9CeILoY3hUxaJ8clyW+Xp2UFTg
3nvZqRtk0PZ1Y75YNfOXAQv/ZNND8fK72RiVvqm0LGuhIAirD199a0+vQIwD9Jdc
sj682VbL1/hZAWOAaQsNgsyqe+kjizFbYpVTC2x15pB7NkhXZV5yE4KbMyVc4HJA
7MSetWjD+hCx9xXjcMh8VL0f9ne8R3f6fjGDlMe4DLauQoTrZ9CI+Rqj+xR2N14m
u2WzNSo41u5PX/PpcXJP3KCmGvIE1Z8hRkEnV3gEfcORCAXRrVCoUBEDyEbsExfe
mcq0nhziC8k2vB8Hmv4ch0FWfBXNbidYp4k4qofwzhR8kTbcCtU=
=Gdd5
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates

2018-03-30 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 19 Mar 2018 21:29:59 +0100
Source: plexus-utils
Binary: libplexus-utils-java libplexus-utils-java-doc
Architecture: source all
Version: 1:1.5.15-4+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils-java - utilities for the Plexus framework
 libplexus-utils-java-doc - API Documentation for plexus-utils
Changes:
 plexus-utils (1:1.5.15-4+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 7b0c5c67fe79486b8d9bc64f98526b1f191bfafb 2283 plexus-utils_1.5.15-4+deb9u1.dsc
 c728692c2ac5644b632e8f4493a17e502a40f5b0 239818 plexus-utils_1.5.15.orig.tar.gz
 339610998c3d37b9a313414653d24c90cd2778a8 10004 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 caf2ad28983355e2ab0c0d01b4d459e24821f0ae 158420 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 6f0712874ce924fd55bef9f15d761721d959e70f 208602 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 32095bf7c26ae88c3f87ec7b9701213f04b22060 10852 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
 191d1733618d7b625c3982c6173fc7b0ca2a4751cf0f512095ca8162bfb0a9b8 2283 
plexus-utils_1.5.15-4+deb9u1.dsc
 04adddabece51dce3b8e86b14ab606a551bd16cc4383a506bf339046416a3ad9 239818 
plexus-utils_1.5.15.orig.tar.gz
 575fb2378c630e9fc36945c444ea147bb6d6ec4c273137191640509ecb32c75c 10004 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 9fe1cdbdf9914851de5a5fdbea34c7a3ad329b42e791e52aee02d1c4eccaec91 158420 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 fafd14bab63b0e770ff508e23c7095a4114e36cf54698fe6bfed691b12853286 208602 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 bbc161c9e540e488099e5ab36dd65392fc02970124f9c250b714d4a1c6b52b1f 10852 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo
Files:
 aadca3a1089d0284fc71f920820d256f 2283 java optional 
plexus-utils_1.5.15-4+deb9u1.dsc
 782489e4817b48dfdb86736b6b6f 239818 java optional 
plexus-utils_1.5.15.orig.tar.gz
 9d57cb22b92d524468ae9d244c9320cf 10004 java optional 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 b25b1af8f2fc6aa9afaeffad96bcef04 158420 doc optional 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 f315cf996c31b73b8d6002c5536b3e41 208602 java optional 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 9a8824d3c2453a125e5f2ac660fe759a 10852 java optional 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqwHr4ACgkQEMKTtsN8
TjYGhg//QRxuOePKs7DxuUkyY+E4W4HfiZdRIm6D32vONO3V4/adUl33rQIuhCQo
KRnJUwVeO8wGSAZq9hJ+T0JPO/H4Z2pSSPq4AZWIdaxm4h3hvfWjIOIFWGn+uuP0
H2/DDVL+Dtdxwi0xUWgRrw1NPl+tgygJVUEMfeOlW5FSkde8yWe5sKcDS1A76QfF
aokNe63cD8WetIrsMaOxoCHf3Wjt5W+c1DCrBN0O2mT+Yz4+mFVSrlDT91iY2WwF
Y7VbC2KeXuPZQjDvfRIJm9Y2zn1eT+DqeApygBXRpak2aX5/M5sOfEU+5LR6kMK4
tAXxM2hKaxDrwaKuOV78BT0OkrA/muIXSaSQjx2M+7cuk2TJE0fDocv/6qmz/jCv
X/Kqj6GQLnrwEnk6HQkbA54wjkj3yQVhhOxet5f9Uzr31+fff4bn0Y7W3bgwr1ps
WN7aSEv44lf3HRvV1XGDZYehbD8KG/oxBXTNNsBZwIdb4UHOdV8aV3rwTDlKKRMn
N5QkDEN8TESZ21zoVoZ39ik8xuQUN2JqLlmxwhMJOQ5T3fVf+ZkWBOjGxVjGfBUS
91P+xFndHGpNQjhn0LdvXYh0b6IjXZEt+MibNoJ4xkxo5NCHKRDHpLRlWGyOLe5O
g4LFbMc9t0hAhbUAkSXXf2mL+7Lt3R9oULndk03ih2hw2WMfkks=
=8/vm
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable->embargoed, oldstable

2018-03-22 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 21 Mar 2018 18:26:19 +0100
Source: plexus-utils2
Binary: libplexus-utils2-java libplexus-utils2-java-doc
Architecture: source all
Version: 3.0.15-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils2-java - utilities for the Plexus framework
 libplexus-utils2-java-doc - utilities for the Plexus framework - documentation
Changes:
 plexus-utils2 (3.0.15-1+deb8u1) jessie-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 e1b1ffb4844c2d45e6365fa3264b38a9c65df9ce 2292 plexus-utils2_3.0.15-1+deb8u1.dsc
 1804a25bcb5cb84e8c83b6a737e9ebe86fb088a7 243662 
plexus-utils2_3.0.15.orig.tar.gz
 b9f76a8f66d7af673a6304b3450ab7c9388cc36d 9384 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 f989d15410e42bd4cd6bb771886d6e55ffd87620 228716 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 fe13ebc5baa981a0d2eb6c579de665272dcdb796 641100 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb
Checksums-Sha256:
 b426421211c5a2fb4bad808c2777859ec9b37697888436dc86b0e2fd46f6fe8c 2292 
plexus-utils2_3.0.15-1+deb8u1.dsc
 aaf9276befafc8f3181d4fa180d4fb5544e846d08b3508443d256f6646ed1d6d 243662 
plexus-utils2_3.0.15.orig.tar.gz
 34a32286ceeb10c578520b75ee2aaf1a4b77670dccc29f46b0b6dc8f6789a40a 9384 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 52b857850a4844e3d49b2c5366db70f9984246c51a21e6bec94896477cc7578c 228716 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 81eba0b11985f9f2910ce70fe1af174d4c270454d6de214d34b2383240c966fc 641100 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb
Files:
 122b1ff25d089b9591b5b066f4210b49 2292 java optional 
plexus-utils2_3.0.15-1+deb8u1.dsc
 83badf30abf98e8f5811c4cfd26189f4 243662 java optional 
plexus-utils2_3.0.15.orig.tar.gz
 4d73192079d9d0a63390326e897dfa08 9384 java optional 
plexus-utils2_3.0.15-1+deb8u1.debian.tar.xz
 6101d49c70a5955380011d4549230ce4 228716 java optional 
libplexus-utils2-java_3.0.15-1+deb8u1_all.deb
 6c9d3e9284e9ae6a5125e4440ac89607 641100 doc optional 
libplexus-utils2-java-doc_3.0.15-1+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqyluoACgkQEMKTtsN8
TjZ8hw//df8tLptL53AIzU7f1Wd3ZL3R4M0Vklt5mh+dBvijq6hXbe9UntI2e0VM
y+k8UU/8OmBwcHBJvj6rFA6v4rZFVW8pLa7vXYc7jofOG+7Yj6ClZPFc8F4UUjei
sYM7jv3B5gdM3r/Pz5hWjdacYNyLqpF4Sz9hd3/ip5ZkvGn4q/MB4upGAph12FEE
3C+hoctlJ4XEIWyM+y3xXkEmIGlAo+0gT3bhkLev1pL+p4Gx4UGlt+qnizqFZR0n
f8HFjHSkL61QMDW3/YHTEiJjf9jLFPyXfMH6ry1mu5FljlXS9/G2+5xCEOR2mDiC
ZKmjqkM6kNNIkbX1NNZQD2cVuWC2TrIByl4OM2hHrM7uCFangpck/obwSusPXNe3
SPBZNVQAeUQ1eReFX/OJSbeYlyC8p3rOA/OeZpNYr1TZ/eLvBfMBwoYsFiv0XuTL
Nu8cHeKLqmsxVKZdSJUfioMENoK/xkj01VDeUij/Y11tYSOKbLM+9/P7qhgotv/Q
d07Sk2sz3wowEbolrsalpea2xvHXm7mj4xpLLWE+f3iNmLagX66HQSsQDcdHjJ9l
ZCjLpTa9+clRFd2+pX/FuQF5utL3Vj/wooqG/V8z+k8dqRi7Se1XGZK/q6y/LifG
koqjxIYeQqpsQCIQ3o698dmWES4pUg+XRcwfUc9KF18AqgioOLc=
=axTB
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable->embargoed, oldstable

2018-03-20 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 19 Mar 2018 21:35:42 +0100
Source: plexus-utils
Binary: libplexus-utils-java libplexus-utils-java-doc
Architecture: source all
Version: 1:1.5.15-4+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils-java - utilities for the Plexus framework
 libplexus-utils-java-doc - API Documentation for plexus-utils
Changes:
 plexus-utils (1:1.5.15-4+deb8u1) jessie-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 997574f3209b1b936a6dda501cee39f3e7349b5f 2283 plexus-utils_1.5.15-4+deb8u1.dsc
 c728692c2ac5644b632e8f4493a17e502a40f5b0 239818 plexus-utils_1.5.15.orig.tar.gz
 d774e4125f42fdd4d353bc73625cc3dbbfa666a9 10076 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 5b88aa75d976827dbdfbc160417085b8e2be8931 208174 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 61006e1cde56f534d109e2c91be3582e2d86b1e7 168970 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb
Checksums-Sha256:
 80493762ddbd29cdf023c66f729fc3a11a8a47aad0d8a223a5c910a47a9ed3a0 2283 
plexus-utils_1.5.15-4+deb8u1.dsc
 04adddabece51dce3b8e86b14ab606a551bd16cc4383a506bf339046416a3ad9 239818 
plexus-utils_1.5.15.orig.tar.gz
 8ab67ce60225bfd0b9631232d3a80c6144484498b41f5b5c85265be2d1fa1474 10076 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 f76ee0652967df1b1f30c6025cd703ea4979e93d1efc2890d09af5d302d7ccb3 208174 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 4177f7889283c13d2b1496a02885b35a589d15638230709362aa89d794f41d4b 168970 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb
Files:
 71b57f220651de3cb52177cef1857dc5 2283 java optional 
plexus-utils_1.5.15-4+deb8u1.dsc
 782489e4817b48dfdb86736b6b6f 239818 java optional 
plexus-utils_1.5.15.orig.tar.gz
 79e33fc98caa35af32b55abfae05c409 10076 java optional 
plexus-utils_1.5.15-4+deb8u1.debian.tar.xz
 d33efdeb0c5f5bfc837b1efb5335f4c6 208174 java optional 
libplexus-utils-java_1.5.15-4+deb8u1_all.deb
 c5285c50370905000fa0a0be4059c317 168970 doc optional 
libplexus-utils-java-doc_1.5.15-4+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqwIAUACgkQEMKTtsN8
TjaeCw/9Gzx6gs/GYDLAq1XFz0zYz2togp00Oe02TanOmX5fIKGCCC3ywYB4lR28
EJvY366cOP+SLw+KmqExcLnUbOCpQGdw7Zoax22nOzLFQe7fOPO+4lEE0f0JHSnT
cglkP4s3+M12djZxtJR52mMokhA30T6Oii7uxhf6IbbnLnAgKQHAut5nZDYtjjGW
DiYLIvLXTqFLIOmV9Iivp5HswAXAI+N0qQctDCUJA9Yq5OKqIjrZxwUzbjIq8rNM
JOPMC4X18aHuf0wRM8AgCsM+Qc7l2jHpgNmjaDaoOxHF4F2+X1Q5A0ZjYheZF+QL
06a5zNABJLXm0NQ1ykESE92RUrmtiYeLy03Bkt9CeILoY3hUxaJ8clyW+Xp2UFTg
3nvZqRtk0PZ1Y75YNfOXAQv/ZNND8fK72RiVvqm0LGuhIAirD199a0+vQIwD9Jdc
sj682VbL1/hZAWOAaQsNgsyqe+kjizFbYpVTC2x15pB7NkhXZV5yE4KbMyVc4HJA
7MSetWjD+hCx9xXjcMh8VL0f9ne8R3f6fjGDlMe4DLauQoTrZ9CI+Rqj+xR2N14m
u2WzNSo41u5PX/PpcXJP3KCmGvIE1Z8hRkEnV3gEfcORCAXRrVCoUBEDyEbsExfe
mcq0nhziC8k2vB8Hmv4ch0FWfBXNbidYp4k4qofwzhR8kTbcCtU=
=Gdd5
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into stable->embargoed, stable

2018-03-20 Thread Moritz Muehlenhoff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 19 Mar 2018 21:29:59 +0100
Source: plexus-utils
Binary: libplexus-utils-java libplexus-utils-java-doc
Architecture: source all
Version: 1:1.5.15-4+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <j...@debian.org>
Description:
 libplexus-utils-java - utilities for the Plexus framework
 libplexus-utils-java-doc - API Documentation for plexus-utils
Changes:
 plexus-utils (1:1.5.15-4+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2017-1000487
Checksums-Sha1:
 7b0c5c67fe79486b8d9bc64f98526b1f191bfafb 2283 plexus-utils_1.5.15-4+deb9u1.dsc
 c728692c2ac5644b632e8f4493a17e502a40f5b0 239818 plexus-utils_1.5.15.orig.tar.gz
 339610998c3d37b9a313414653d24c90cd2778a8 10004 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 caf2ad28983355e2ab0c0d01b4d459e24821f0ae 158420 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 6f0712874ce924fd55bef9f15d761721d959e70f 208602 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 32095bf7c26ae88c3f87ec7b9701213f04b22060 10852 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
 191d1733618d7b625c3982c6173fc7b0ca2a4751cf0f512095ca8162bfb0a9b8 2283 
plexus-utils_1.5.15-4+deb9u1.dsc
 04adddabece51dce3b8e86b14ab606a551bd16cc4383a506bf339046416a3ad9 239818 
plexus-utils_1.5.15.orig.tar.gz
 575fb2378c630e9fc36945c444ea147bb6d6ec4c273137191640509ecb32c75c 10004 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 9fe1cdbdf9914851de5a5fdbea34c7a3ad329b42e791e52aee02d1c4eccaec91 158420 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 fafd14bab63b0e770ff508e23c7095a4114e36cf54698fe6bfed691b12853286 208602 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 bbc161c9e540e488099e5ab36dd65392fc02970124f9c250b714d4a1c6b52b1f 10852 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo
Files:
 aadca3a1089d0284fc71f920820d256f 2283 java optional 
plexus-utils_1.5.15-4+deb9u1.dsc
 782489e4817b48dfdb86736b6b6f 239818 java optional 
plexus-utils_1.5.15.orig.tar.gz
 9d57cb22b92d524468ae9d244c9320cf 10004 java optional 
plexus-utils_1.5.15-4+deb9u1.debian.tar.xz
 b25b1af8f2fc6aa9afaeffad96bcef04 158420 doc optional 
libplexus-utils-java-doc_1.5.15-4+deb9u1_all.deb
 f315cf996c31b73b8d6002c5536b3e41 208602 java optional 
libplexus-utils-java_1.5.15-4+deb9u1_all.deb
 9a8824d3c2453a125e5f2ac660fe759a 10852 java optional 
plexus-utils_1.5.15-4+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqwHr4ACgkQEMKTtsN8
TjYGhg//QRxuOePKs7DxuUkyY+E4W4HfiZdRIm6D32vONO3V4/adUl33rQIuhCQo
KRnJUwVeO8wGSAZq9hJ+T0JPO/H4Z2pSSPq4AZWIdaxm4h3hvfWjIOIFWGn+uuP0
H2/DDVL+Dtdxwi0xUWgRrw1NPl+tgygJVUEMfeOlW5FSkde8yWe5sKcDS1A76QfF
aokNe63cD8WetIrsMaOxoCHf3Wjt5W+c1DCrBN0O2mT+Yz4+mFVSrlDT91iY2WwF
Y7VbC2KeXuPZQjDvfRIJm9Y2zn1eT+DqeApygBXRpak2aX5/M5sOfEU+5LR6kMK4
tAXxM2hKaxDrwaKuOV78BT0OkrA/muIXSaSQjx2M+7cuk2TJE0fDocv/6qmz/jCv
X/Kqj6GQLnrwEnk6HQkbA54wjkj3yQVhhOxet5f9Uzr31+fff4bn0Y7W3bgwr1ps
WN7aSEv44lf3HRvV1XGDZYehbD8KG/oxBXTNNsBZwIdb4UHOdV8aV3rwTDlKKRMn
N5QkDEN8TESZ21zoVoZ39ik8xuQUN2JqLlmxwhMJOQ5T3fVf+ZkWBOjGxVjGfBUS
91P+xFndHGpNQjhn0LdvXYh0b6IjXZEt+MibNoJ4xkxo5NCHKRDHpLRlWGyOLe5O
g4LFbMc9t0hAhbUAkSXXf2mL+7Lt3R9oULndk03ih2hw2WMfkks=
=8/vm
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#891796: CVE-2017-18197

2018-02-28 Thread Moritz Muehlenhoff

Source: libjgraphx-java
Severity: normal
Tags: security

This was assigned CVE-2017-18197:
https://github.com/jgraph/mxgraph/issues/124

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#888547: CVE-2017-1000190

2018-01-27 Thread Moritz Muehlenhoff

Source: simple-xml
Severity: important
Tags: security

CVE-2017-1000190 has been assigned to this bug in simple-xml:
https://github.com/ngallagher/simplexml/issues/18

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2018-01-12 Thread Moritz Muehlenhoff

On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote:
> On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote:
> > please see http://seclists.org/oss-sec/2016/q2/413  for details.
> 
> That link says:
>   Versions Affected: 
>   Apache Tika 0.10 to 1.12
> 
> So perhaps 1.5 isn't affected after all? I tried to find the relevant
> commit in the upstream git but failed :(

Commit 
https://github.com/apache/tika/commit/f444fd784b99b181cd7bd54cdec9fbd132b4ef93
in 1.17 added a test case, so this might be related to changes in Xerces/J
which are possibly bundled by Tika downloads? Might be worth clarifying with
Tim Allison <talli...@apache.org>.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#885338: CVE-2017-12165

2017-12-26 Thread Moritz Muehlenhoff

Source: undertow
Severity: important
Tags: security

The only source here is a report in Red Hat Bugzilla, so might be worth 
contacting
upstream for additional information:
https://bugzilla.redhat.com/show_bug.cgi?id=1490301

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-17 Thread Moritz Muehlenhoff

On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote:
> I ran the Oracle JavaFX demos with the new version and it worked fine
> (except the media player but this isn't a regression, something is
> probably misconfigured on my machine).
> 
> Should I proceed with the upload, or do you want to do it directly?

Please go ahead with the upload. I'll also test this with mediathekview 
(which is the only reverse dependency in stretch IIRC). Unfortunately 
it's geoblocked, so one can't test unless you have a German IP address :-/

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-06 Thread Moritz Muehlenhoff

On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote:
> Hi,
> 
> Quick update on openjfx: the package is back on track, as of version
> 8u141-b14-3 I eventually managed to get it to build on both amd64 and
> i386 in unstable for the first time since January. If the tests go well
> I'll prepare the security update next week.

Thanks.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

2017-10-02 Thread Moritz Muehlenhoff

On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote:
> Source: openjfx
> Version: 8u131-b11-1
> Severity: grave
> Tags: upstream security
> 
> Hi,
> 
> the following vulnerabilities were published for openjfx.
> 
> CVE-2017-10086[0] and CVE-2017-10114[1].
> 
> Unfortunately it's no more details possilby know as shared via [2],
> which states that the supported versions vulnerable are 7u141 and
> 8u131. The severity is probably as well overrated for this bugreport
> and a DSA not deserved. But bug should help tracking the fix for
> future unstable upload.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10086
> [1] https://security-tracker.debian.org/tracker/CVE-2017-10114
> [2] 
> http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html#JAVA
> 
> Please adjust the affected versions in the BTS as needed.

Java maintainers, shall we follow the procedures for openjdk and
rebase to a new upstream release in stretch?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860566: fixed in batik 1.9-1

2017-10-01 Thread Moritz Muehlenhoff

On Mon, Sep 04, 2017 at 06:19:28AM +, Christopher Hoskin wrote:
> Changes:
>  batik (1.9-1) unstable; urgency=medium

[..]

>* New upstream (1.9)
>+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream 
> claim
>  BATIK-1139 is fixed in 1.9 (Closes: #860566)

Hi,
this doesn't warrant a DSA, but there's still the possibility to fix this via a
stable point update [1], so I was wondering whether anything of that sort is 
planned by
you.

Cheers,
Moritz

[1] 
https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#867493: CVE-2016-2141

2017-07-06 Thread Moritz Muehlenhoff

Package: libjgroups-java
Severity: important
Tags: security

This was assigned CVE-2016-2141:
https://issues.jboss.org/browse/JGRP-2021?_sscc=t

Cheers,
   Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#864405: CVE-2016-2666

2017-06-08 Thread Moritz Muehlenhoff

Source: undertow
Severity: grave
Tags: security

There's no other reference that what Red Hat published here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666

Upstream needs to be contacted or the patch pulled from their
update.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#863811: CVE-2017-5637

2017-05-31 Thread Moritz Muehlenhoff

Source: zookeeper
Severity: grave
Tags: security

Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693

Fix is referenced here: https://github.com/apache/zookeeper/pull/183

I'm also attaching the debdiff I'll be using for jessie for reference.

Cheers,
Moritz

diff -Nru zookeeper-3.4.5+dfsg/debian/changelog 
zookeeper-3.4.5+dfsg/debian/changelog
--- zookeeper-3.4.5+dfsg/debian/changelog   2016-10-01 20:02:51.0 
+0200
+++ zookeeper-3.4.5+dfsg/debian/changelog   2017-05-31 11:29:29.0 
+0200
@@ -1,3 +1,9 @@
+zookeeper (3.4.5+dfsg-2+deb8u2) jessie-security; urgency=medium
+
+  * CVE-2017-5637
+
+ -- Moritz Mühlenhoff   Wed, 31 May 2017 11:28:54 +0200
+
 zookeeper (3.4.5+dfsg-2+deb8u1) jessie; urgency=high
 
   * Team upload.
diff -Nru zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 
zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch
--- zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 1970-01-01 
01:00:00.0 +0100
+++ zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 2017-05-31 
11:28:32.0 +0200
@@ -0,0 +1,593 @@
+From 835377f0e1cd215e791ed29c0bcff95e625f299c Mon Sep 17 00:00:00 2001
+From: Michael Han 
+Date: Tue, 7 Mar 2017 17:34:34 +0530
+Subject: [PATCH] ZOOKEEPER-2693: DOS attack on wchp/wchc four letter words
+ (4lw)
+
+Similar as pull request 179, this PR introduces new property 
zookeeper.4lw.commands.whitelist to branch-3.4.
+Unlike branch-3.5 where all 4lw (with few exceptions) is disabled by default, 
for branch-3.4 only "wchp" and "wchc" are disabled by default - since 4lw is 
widely used and there is no alternatives in branch-3.4 so we just disable the 
exploitable ones.
+
+Author: Michael Han 
+
+Reviewers: Rakesh Radhakrishnan 
+
+Closes #183 from hanm/ZOOKEEPER-2693-br-3.4 and squashes the following commits:
+
+d060ddc [Michael Han] update doc.
+2ce4ebd [Michael Han] ZOOKEEPER-2693: DOS attack on wchp/wchc four letter 
words (4lw). Initial commit for branch-3.4.
+---
+ .../documentation/content/xdocs/zookeeperAdmin.xml |  44 
+ .../org/apache/zookeeper/server/NIOServerCnxn.java |  33 ++-
+ .../apache/zookeeper/server/NettyServerCnxn.java   |  32 ++-
+ .../org/apache/zookeeper/server/ServerCnxn.java|  94 +++-
+ src/java/test/org/apache/zookeeper/ZKTestCase.java |   4 +
+ .../test/FourLetterWordsWhiteListTest.java | 252 +
+ 6 files changed, 449 insertions(+), 10 deletions(-)
+ create mode 100644 
src/java/test/org/apache/zookeeper/test/FourLetterWordsWhiteListTest.java
+
+diff --git a/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml 
b/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
+index 5aefa9a11..fb00fae24 100644
+--- a/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
 b/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
+@@ -1042,6 +1042,40 @@ server.3=zoo3:2888:3888
+   
+ 
+   
++
++  
++4lw.commands.whitelist
++
++
++  (Java system property: zookeeper.4lw.commands.whitelist)
++
++  New in 3.4.10:
++This property contains a list of comma separated
++Four Letter Words commands. It 
is introduced
++to provide fine grained control over the set of commands 
ZooKeeper can execute,
++so users can turn off certain commands if necessary.
++By default it contains all supported four letter word 
commands except "wchp" and "wchc",
++if the property is not specified. If the property is 
specified, then only commands listed
++in the whitelist are enabled.
++  
++
++  Here's an example of the configuration that enables stat, 
ruok, conf, and isro
++command while disabling the rest of Four Letter Words 
command:
++  
++4lw.commands.whitelist=stat, ruok, conf, isro
++  
++
++  Users can also use asterisk option so they don't have to 
include every command one by one in the list.
++As an example, this will enable all four letter word commands:
++  
++  
++4lw.commands.whitelist=*
++  
++
++
++  
++
+ 
+ 
+   
+@@ -1667,6 +1701,16 @@ imok
+ usage limit that would cause the system to swap.
+   
+ 
++
++
++  Publicly accessible deployment
++  
++
++  A ZooKeeper ensemble is expected to operate in a trusted 
computing environment.
++  It is thus recommended to deploy ZooKeeper behind a firewall.
++
++  
++
+   
+ 
+ 
+diff --git a/src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java

Bug#853998: CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / CVE-2016-5519

2017-02-02 Thread Moritz Muehlenhoff

Source: glassfish
Severity: grave
Tags: security

So Oracle has these lovely, unspecified vulnerabilities reported against 
Glassfish,
but it's my understanding that the Debian package only provides a minor subset
what usually constitutes Java, so could you have a look, which of 

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

might possibly affect the Debian package?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851430: CVE-2016-9571

2017-01-14 Thread Moritz Muehlenhoff

Source: resteasy
Severity: important
Tags: security

There's not a great of information on this one other then this Red Hat 
bugtracker entry:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9571

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851408: CVE-2016-6814

2017-01-14 Thread Moritz Muehlenhoff

Source: groovy
Severity: grave
Tags: security

Hi,
please see http://seclists.org/oss-sec/2017/q1/92

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)

2017-01-09 Thread Moritz Muehlenhoff

severity 793770 grave
thanks

On Mon, Jul 27, 2015 at 11:51:53AM +0200, Luca Bruno wrote:
> Source: netty-3.9
> Version: 3.9.0.Final-1
> Severity: important
> Tags: security upstream patch
> 
> LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty
> that could lead to universal bypass of the HttpOnly flag on cookies.
> 
> If the HttpOnly flag is included in the HTTP Set-Cookie response header,
> the cookie cannot usually be accessed through client-side script.
> This bug can be however leveraged to leak the cookie's name-value in the DOM,
> where a malicious script can access the content without any restriction.
> 
> CVE-2015-2156 has been assigned for this issue, which has been fixed upstream
> in release 3.9.8.Final and 3.10.3.Final.
> Please mention the CVE ID in the changelog when fixing this issue.
> 
> References:
>  * Security update
>http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
>  * Issue technical details / PoC
>
> http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
>  * Fixing commit
>
> https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8

This is unfixed with a patch for nearly 1.5 years, can we please get this
fixed for the stretch release.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#837170: CVE-2016-6345 / CVE-2016-6346 / CVE-2016-6347 / CVE-2016-6348

2016-09-09 Thread Moritz Muehlenhoff

Source: resteasy
Severity: important
Tags: security

Red Hat reported a few vulnerabilities in RestEasy, they don't seem to
be fixed in 3.0.19:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6345
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6346
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6347
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6348

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#832419: CVE-2016-3498

2016-07-25 Thread Moritz Muehlenhoff

Source: openjfx
Severity: grave
Tags: security

CVE-2016-3498 from 
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA
  
should affected openjfx.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#826653: CVE-2016-4437

2016-06-07 Thread Moritz Muehlenhoff

Source: shiro
Severity: grave
Tags: security

The following was reported on oss-security. shiro doesn't seem to have
any rdeps in Debian.

Cheers,
Moritz

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted
request
parameter could be used to execute arbitrary code or access content
that
would otherwise be protected by a security constraint.

Mitigation:
Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

References:
[1] http://shiro.apache.org/download.html
[2]
http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null
  

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#825501: CVE-2016-4434

2016-05-27 Thread Moritz Muehlenhoff

Source: tika
Severity: grave
Tags: security

Hi,
please see http://seclists.org/oss-sec/2016/q2/413  for details.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#823703: CVE-2016-3720

2016-05-07 Thread Moritz Muehlenhoff

Source: jackson-dataformat-xml
Severity: grave
Tags: security

jackson-dataformat-xml is susceptible to XXE attacks, this was
assigned CVE-2016-3720. Fix is here:
https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#823622: CVE-2015-4901 CVE-2015-4906 CVE-2015-4908 CVE-2015-4916

2016-05-06 Thread Moritz Muehlenhoff

Source: openjfx
Severity: grave
Tags: security

The four security issues from October's Java CPU are still unfixed, right?
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html 

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#819259: Don't include in stretch

2016-03-25 Thread Moritz Muehlenhoff

Source: tomcat7
Severity: serious

stretch should only provide one version of Tomcat.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

2015-11-09 Thread Moritz Muehlenhoff

Package: jenkins
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see 
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

2015-11-09 Thread Moritz Muehlenhoff

On Mon, Nov 09, 2015 at 09:25:20AM +0100, Emmanuel Bourg wrote:
> Hi Moritz,
> 
> If I'm not mistaken this vulnerability is actually linked to a dangerous
> deserialization in commons-collections if the input isn't properly
> sanitized.

Indeed, I intended to file a separate bug for those (but I was  unsure whether 
jenkins used  the system-wide lib as opposed to the released versions from 
jenkins upstream)

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#803713: Keep out of testing

2015-11-01 Thread Moritz Muehlenhoff

Source: elasticsearch
Severity: serious

See DSA 3389, upstream security policies are not compatible with
being in stable.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#799280: Depends on gstreamer 0.10

2015-09-17 Thread Moritz Muehlenhoff

Source: openjfx
Severity: serious

Hi,
openjfx build-depends on gstreamer 0.10, which scheduled
for removal from the archive. Please see
https://lists.debian.org/debian-devel/2015/05/msg00335.html
for details.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Bug#793984: jessie-pu: package groovy/1.8.6-4

2015-08-31 Thread Moritz Muehlenhoff

On Thu, Aug 20, 2015 at 08:26:05AM -0300, Miguel Landaeta wrote:
> On Wed, Aug 19, 2015 at 07:05:26PM +0100, Adam D. Barratt wrote:
> > 
> > I just realised that I somehow overlooked the fact that #793397 isn't
> > fixed in unstable yet - what's the plan for that?
> 
> I intend to fix this soon but I haven't managed to fix a FTBFS bug for
> groovy in unstable yet that is blocking me regarding this issue.

Moving the rdeps to groovy2 seems the better fix to me (#793911).

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#796137: CVE-2015-3192

2015-08-19 Thread Moritz Muehlenhoff

Source: libspring-java
Severity: important
Tags: security

Please see https://pivotal.io/security/cve-2015-3192

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793911: groovy should not release with stretch

2015-07-28 Thread Moritz Muehlenhoff

Package: groovy
Severity: serious

A separate source package groovy2 was uploaded, so reverse dependencies
need to be migrated to that one and groovy removed.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793492: Should this package be removed?

2015-07-24 Thread Moritz Muehlenhoff

Package: azureus
Severity: serious

The version of azureus currently in the archive has been uploaded
in 2009 and it many upstream releases behind. It has been dropped
from testing back in 2013 and the last upload was in 2011. Since
there's apparently no current maintenance interest in Vuze/Azureus
and since there are plenty of other Torrent clients in Debian I
suggest we remove it from the archive.

If you agree, please reassign this bug to ftp.debian.org

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#792857: CVE-2014-3576

2015-07-19 Thread Moritz Muehlenhoff

Source: activemq
Severity: grave
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3576 is scarce on
details, but per the fixed upstream release probably affects oldstable
and stable.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780383: libopensaml2-java: CVE-2015-1796

2015-06-29 Thread Moritz Muehlenhoff

On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote:
 On 05/06/2015 10:54 PM, tony mancill wrote:
  An update on this...  I'm in the midst of packaging 2.6.5, but it in
  turn requires an update to libxmltooling-java to version 1.4.4, which I
  am working on now.
 
 In an email exchange with Scott Cantor, who works on this family of
 libraries upstream, he stated that the v2 libraries will be EOL this
 summer, and that he would advise not to ship them in a release unless
 Debian will maintain them.
 
 Based upon that information, the low popcon, and the fact that this
 cluster of packages appear to be leaf packages (I can't find r-deps for
 them):
 
  libopenws-java
  libshib-common-java
  libopensaml2-java
  libshib-parent-project2-java
 
 I'm not going to take action to prevent the automated removal from
 testing and am considering requesting that the packages be removed from
 the archive.  If people are using these libraries and can make a case
 for them being available in Debian, please speak up.

Since noone objected and since they're already dropped from testing
for three weeks now, I'll also request removal from unstable now.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#787316: CVE-2015-1833

2015-05-31 Thread Moritz Muehlenhoff

Source: jackrabbit
Severity: grave
Tags: security

Hi,
please see https://issues.apache.org/jira/browse/JCR-3883

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#781223: jenkins: Multiple security issues

2015-03-26 Thread Moritz Muehlenhoff

Package: jenkins
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23:
SECURITY-171 is CVE-2015-1812
SECURITY-177 is CVE-2015-1813
SECURITY-180 is CVE-2015-1814

and

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27:
SECURITY-125 is CVE-2015-1806
SECURITY-162 is CVE-2015-1807
SECURITY-163 is CVE-2015-1808
SECURITY-165 is CVE-2015-1809
SECURITY-166 is CVE-2015-1810
SECURITY-167 is CVE-2015-1811

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

2015-03-23 Thread Moritz Muehlenhoff

On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote:
 On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
  Hi,
  
  On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
   On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
Is there an example available somewhere of a subject improperly parsed
by commons-httpclient/3.1-10.2? This would help backporting the fix to
this version.
   
   I think this is already fixed in 3.1-10.2, see the Red Hat bug as
   reference and See https://bugs.debian.org/692442#56 and and following
   mails.
  
  I don't understand this from those mails. On the contrary, RedHat
  did update their packages with a new patch on top of the former
  patch:
  https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
  
  And the Debian package still have the old version of getCN().
 
 What's the status? Can we get that fixed for jessie?

*ping*, the release is getting closer.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: libjbcrypt-java: CVE-2015-0886

2015-03-09 Thread Moritz Muehlenhoff

Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#779621: jakarta-taglibs-standard: CVE-2015-0254

2015-03-02 Thread Moritz Muehlenhoff

Package: jakarta-taglibs-standard
Severity: important
Tags: security

Please see
http://www.securityfocus.com/archive/1/534772

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558

2015-03-02 Thread Moritz Muehlenhoff

severity 762690 important
thx

On Sun, Nov 02, 2014 at 11:38:30PM +0100, Emmanuel Bourg wrote:
 libhibernate-validator-java is only used as a build dependency of
 libhibernate3-java. No package depends on it at runtime, so the risk of
 being affected by this vulnerability is rather low, if not zero.

I'm downgrading the severity to normal. No need to treat it as a RC
security bug.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600

2015-02-17 Thread Moritz Muehlenhoff

On Fri, Feb 06, 2015 at 01:56:35PM +0100, Emmanuel Bourg wrote:
 For CVE-2014-3600:
 https://github.com/apache/activemq/commit/b9696ac8
 https://issues.apache.org/jira/browse/AMQ-5333

Could you please upload a fixed package for CVE-2014-3612 and
CVE-2014-3600?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#777741: wss4j: CVE-2015-0226 CVE-2015-0227

2015-02-11 Thread Moritz Muehlenhoff

Package: wss4j
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0227

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600

2015-02-05 Thread Moritz Muehlenhoff

Package: activemq
Severity: important
Tags: security

Hi,
please see
http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt
(but the admin console isn't enabled, so this should be moot? (702670))

http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt
http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#775171: libapache-poi-java: CVE-2014-9527

2015-01-11 Thread Moritz Muehlenhoff

Package: libapache-poi-java
Severity: important
Tags: security
Justification: user security hole

This was assigned CVE-2014-9527:
https://issues.apache.org/bugzilla/show_bug.cgi?id=57272

Could you please make a targeted fix for jessie?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#774050: CVE-2014-9390

2014-12-27 Thread Moritz Muehlenhoff

Source: jgit
Severity: important
Tags: security

jgit is also affected by the recent git vulnerability:
http://openwall.com/lists/oss-security/2014/12/18/21

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

2014-12-17 Thread Moritz Muehlenhoff

Package: async-http-client
Severity: important
Tags: security

Hi,
please see 

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
https://github.com/AsyncHttpClient/async-http-client/issues/352

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
https://github.com/AsyncHttpClient/async-http-client/issues/197
https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434

It would be nice if we could address CVE-2013-7398 for jessie.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

2014-12-17 Thread Moritz Muehlenhoff

On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote:
 Hi Moritz,
 
 Thank you for the report
 
 Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit :
 
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
  https://github.com/AsyncHttpClient/async-http-client/issues/352
  
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
  https://github.com/AsyncHttpClient/async-http-client/issues/197
  https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434
 
 It seems the version 1.6.5 in wheezy/jessie/unstable is not affected by
 CVE-2013-7398. The class AllowAllHostnameVerifier doesn't exist, in this
 version the user of the API has to provide its own HostnameVerifier.
 
 I confirm the version 1.6.5 is affected by CVE-2013-7397.

Thanks. I've updated the security tracker.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#760733: libspring-java: CVE-2014-0225

2014-11-26 Thread Moritz Muehlenhoff

On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote:
 I've been investigating this issue as well. I contacted an upstream
 developer and it seems the actual fix for this issue is unknown. The
 version 3.2.0 was just reported as not vulnerable by the security
 researched who discovered this issue.
 
 I can prepare an upgrade to the latest 3.2.x version but this will at
 least require libhibernate-validator-java to be unblocked as well.

I didn't look into the specific issue, but Red Hat Bugzilla has
references to isolated patches?

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#763608: CVE-2014-3607

2014-10-01 Thread Moritz Muehlenhoff

Source: libvt-ldap-java
Severity: grave
Tags: security

This has been assigned CVE-2014-3607:
https://code.google.com/p/vt-middleware/issues/detail?id=226

http://shibboleth.net/community/advisories/secadv_20140919.txt

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758516: Struts 1.2 should not be shipped with jessie

2014-09-17 Thread Moritz Muehlenhoff

On Tue, Sep 16, 2014 at 12:12:03AM +0200, Emmanuel Bourg wrote:
 Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit :
 
  Then it should be easy to remove?
 
 Actually it's easier to keep it, since a removal induces more work to
 update the reverse dependencies.
 
 
  Well, but if we keep old, unsupported libs around, people might be exposed
  by running code not shipped in Debian, but using these libraries.
 
 Sure but we are not responsible for such things. This library can be
 downloaded from other places like Maven Central, removing it won't
 change anything.

That's not how we handle in Debian: If a library is shipped in Debian,
it is fully supported to be used by local libs. 

Anything in /usr/local or installed through Maven is of course the 
responsibility
of the user.

So we should go ahead with the removal of struts 1.2 by filing RC bugs against
the packages using it.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#759526: not-yet-commons-ssl: CVE-2014-3604

2014-08-28 Thread Moritz Muehlenhoff

Package: not-yet-commons-ssl
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2014-3604:
http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#759470: libopensaml2-java: CVE-2014-3603

2014-08-27 Thread Moritz Muehlenhoff

Package: libopensaml2-java
Severity: grave
Tags: security
Justification: user security hole

Please see http://shibboleth.net/community/advisories/secadv_20140813.txt

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758516: Struts 1.2 should not be shipped with jessie

2014-08-18 Thread Moritz Muehlenhoff

Package: libstruts1.2-java
Severity: serious

Struts 1.x is EOLed upstream, it should not be included in jessie:
http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#753470: libspring-java: CVE-2014-0225

2014-07-02 Thread Moritz Muehlenhoff

Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see http://www.gopivotal.com/security/cve-2014-0225

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#741604: libspring-java: Multiple security issues

2014-03-14 Thread Moritz Muehlenhoff

Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole

http://www.gopivotal.com/security/cve-2014-0054
http://www.gopivotal.com/security/cve-2014-1904

I'm not sure whether these are worth a DSA?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#740586: mojarra: CVE-2013-5855

2014-03-03 Thread Moritz Muehlenhoff

Package: mojarra
Severity: grave
Tags: security
Justification: user security hole

Hi,
this was assigned CVE-2013-5855:
https://java.net/jira/browse/JAVASERVERFACES-3150

Fix:
https://java.net/projects/mojarra/sources/svn/revision/12793

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages

2014-02-19 Thread Moritz Muehlenhoff

On Tue, Jan 28, 2014 at 07:45:41AM +0100, Moritz Muehlenhoff wrote:
 On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote:
  In didn't some digging in the reverse deps and found the following bug:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043
  
  In fact, adding that patch to the version of maven-debian-helper in Wheezy 
  and rebuilding
  the source packages mentioned above fixes the geogebra build.
  
  I'm adding the Debian Java maintainers to CC, what's the proper fix forward 
  here, should
  the patch from #688043 be shipped in a point release or are the freehep 
  packages buggy
  and require other fixes?
 
 This bug also applies to geronimo-jta-1.1-spec. Rebuilding it in stable leads 
 to a broken
 package which e.g. results in additional build failures of 
 libhibernate-jbosscache-java.
 Also reported independently as 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708405
 
 Rebuilding geronimo-jta-1.1-spec with the maven-debian-helper patch above 
 fixes that as well.

doxia-sitetools is also affected by the same bug.
 
Cheers,
   Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages

2014-01-27 Thread Moritz Muehlenhoff

On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote:
 In didn't some digging in the reverse deps and found the following bug:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043
 
 In fact, adding that patch to the version of maven-debian-helper in Wheezy 
 and rebuilding
 the source packages mentioned above fixes the geogebra build.
 
 I'm adding the Debian Java maintainers to CC, what's the proper fix forward 
 here, should
 the patch from #688043 be shipped in a point release or are the freehep 
 packages buggy
 and require other fixes?

This bug also applies to geronimo-jta-1.1-spec. Rebuilding it in stable leads 
to a broken
package which e.g. results in additional build failures of 
libhibernate-jbosscache-java.
Also reported independently as 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708405

Rebuilding geronimo-jta-1.1-spec with the maven-debian-helper patch above fixes 
that as well.

Cheers,
   Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages

2014-01-24 Thread Moritz Muehlenhoff

On Thu, Jan 23, 2014 at 04:13:19PM +0100, Moritz Muehlenhoff wrote:
 Package: freehep-graphicsio-svg
 Version: 2.1.1-3
 Severity: serious
 
 I ran into the following bug with stable, but the version is the same as in 
 unstable:
 
 If I compile geogebra with the binary deb package as shipped in stable it 
 compiles fine.
 
 However, if I rebuild freehep-graphicsio-svg in stable, the geogebra builds 
 breaks with
 the following error:
 
 -
 src/geogebra/export/SVGExtensions.java:16: package org.freehep.graphicsio.svg 
 does not exist
 public class SVGExtensions extends org.freehep.graphicsio.svg.SVGGraphics2D {
  ^
 src/geogebra/export/GraphicExportDialog.java:59: package 
 org.freehep.graphicsio.svg does not exist
 import org.freehep.graphicsio.svg.SVGGraphics2D;
  ^
 src/geogebra/export/SVGExtensions.java:23: cannot find symbol
 symbol  : variable os
 location: class geogebra.export.SVGExtensions
 os.println(g id=\ + s + \);
 ^
 src/geogebra/export/SVGExtensions.java:27: cannot find symbol
 symbol  : variable os
 location: class geogebra.export.SVGExtensions
 os.println(/g!--  + s +  --);
 ^
 src/geogebra/export/GraphicExportDialog.java:708: cannot find symbol
 symbol  : variable SVGGraphics2D
 location: class geogebra.export.GraphicExportDialog
 final UserProperties props = (UserProperties) 
 SVGGraphics2D
   ^
 src/geogebra/export/GraphicExportDialog.java:710: cannot find symbol
 symbol  : variable SVGGraphics2D
 location: class geogebra.export.GraphicExportDialog
 props.setProperty(SVGGraphics2D.EMBED_FONTS, 
 !textAsShapes);
   ^
 src/geogebra/export/GraphicExportDialog.java:711: cannot find symbol
 symbol  : variable SVGGraphics2D
 location: class geogebra.export.GraphicExportDialog
 props.setProperty(SVGGraphics2D.TEXT_AS_SHAPES, 
 textAsShapes);
   ^
 src/geogebra/export/GraphicExportDialog.java:712: cannot find symbol
 symbol  : variable SVGGraphics2D
 location: class geogebra.export.GraphicExportDialog
 SVGGraphics2D.setDefaultProperties(props);
 ^
 src/geogebra/export/GraphicExportDialog.java:724: cannot find symbol
 symbol  : method startExport()
 location: class geogebra.export.SVGExtensions
 g.startExport();
  ^
 src/geogebra/export/GraphicExportDialog.java:725: cannot find symbol
 symbol  : method exportPaintPre(geogebra.export.SVGExtensions,double)
 location: class geogebra.euclidian.EuclidianView
 ev.exportPaintPre(g, exportScale);
   ^
 src/geogebra/export/GraphicExportDialog.java:728: 
 drawObjectsPre(java.awt.Graphics2D) in geogebra.euclidian.EuclidianView 
 cannot be applied to (geogebra.export.SVGExtensions)
 ev.drawObjectsPre(g);
   ^
 src/geogebra/export/GraphicExportDialog.java:738: 
 drawAll(java.awt.Graphics2D) in geogebra.euclidian.DrawableList cannot be 
 applied to (geogebra.export.SVGExtensions)
 ev.drawLayers[layer].drawAll(g);
 ^
 src/geogebra/export/GraphicExportDialog.java:742: cannot find symbol
 symbol  : method endExport()
 location: class geogebra.export.SVGExtensions
 g.endExport();
  ^
 src/geogebra/gui/util/BrowserLauncher.java:36: warning: non-varargs call of 
 varargs method with inexact argument type for last parameter;
 cast to java.lang.Class for a varargs call
 cast to java.lang.Class[] for a non-varargs call and to suppress this warning
   Method getDesktop = 
 desktopClass.getDeclaredMethod(getDesktop, null);   
   
  ^
 src/geogebra/gui/util/BrowserLauncher.java:38: warning: non-varargs call of 
 varargs method with inexact argument type for last parameter;
 cast to java.lang.Object for a varargs call
 cast to java.lang.Object[] for a non-varargs call and to suppress this warning
   Object desktopObj = getDesktop.invoke(null, null); 
   ^
 Note: Some input files use or override a deprecated API.
 Note: Recompile with -Xlint:deprecation for details.
 Note: Some input fi
 -
 
 The rebuilt package misses a symlink. The binary package currently shipped 
 with stable contains this:
 
 /.
 /usr
 /usr/share
 /usr/share/doc
 /usr/share/doc/libfreehep-graphicsio-svg-java
 /usr/share/doc/libfreehep-graphicsio-svg-java/changelog.Debian.gz
 /usr/share/doc/libfreehep-graphicsio-svg-java/copyright
 /usr/share/maven-repo
 /usr/share/maven

Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages

2014-01-23 Thread Moritz Muehlenhoff

Package: freehep-graphicsio-svg
Version: 2.1.1-3
Severity: serious

I ran into the following bug with stable, but the version is the same as in 
unstable:

If I compile geogebra with the binary deb package as shipped in stable it 
compiles fine.

However, if I rebuild freehep-graphicsio-svg in stable, the geogebra builds 
breaks with
the following error:

-
src/geogebra/export/SVGExtensions.java:16: package org.freehep.graphicsio.svg 
does not exist
public class SVGExtensions extends org.freehep.graphicsio.svg.SVGGraphics2D {
 ^
src/geogebra/export/GraphicExportDialog.java:59: package 
org.freehep.graphicsio.svg does not exist
import org.freehep.graphicsio.svg.SVGGraphics2D;
 ^
src/geogebra/export/SVGExtensions.java:23: cannot find symbol
symbol  : variable os
location: class geogebra.export.SVGExtensions
os.println(g id=\ + s + \);
^
src/geogebra/export/SVGExtensions.java:27: cannot find symbol
symbol  : variable os
location: class geogebra.export.SVGExtensions
os.println(/g!--  + s +  --);
^
src/geogebra/export/GraphicExportDialog.java:708: cannot find symbol
symbol  : variable SVGGraphics2D
location: class geogebra.export.GraphicExportDialog
final UserProperties props = (UserProperties) 
SVGGraphics2D
  ^
src/geogebra/export/GraphicExportDialog.java:710: cannot find symbol
symbol  : variable SVGGraphics2D
location: class geogebra.export.GraphicExportDialog
props.setProperty(SVGGraphics2D.EMBED_FONTS, 
!textAsShapes);
  ^
src/geogebra/export/GraphicExportDialog.java:711: cannot find symbol
symbol  : variable SVGGraphics2D
location: class geogebra.export.GraphicExportDialog
props.setProperty(SVGGraphics2D.TEXT_AS_SHAPES, 
textAsShapes);
  ^
src/geogebra/export/GraphicExportDialog.java:712: cannot find symbol
symbol  : variable SVGGraphics2D
location: class geogebra.export.GraphicExportDialog
SVGGraphics2D.setDefaultProperties(props);
^
src/geogebra/export/GraphicExportDialog.java:724: cannot find symbol
symbol  : method startExport()
location: class geogebra.export.SVGExtensions
g.startExport();
 ^
src/geogebra/export/GraphicExportDialog.java:725: cannot find symbol
symbol  : method exportPaintPre(geogebra.export.SVGExtensions,double)
location: class geogebra.euclidian.EuclidianView
ev.exportPaintPre(g, exportScale);
  ^
src/geogebra/export/GraphicExportDialog.java:728: 
drawObjectsPre(java.awt.Graphics2D) in geogebra.euclidian.EuclidianView cannot 
be applied to (geogebra.export.SVGExtensions)
ev.drawObjectsPre(g);
  ^
src/geogebra/export/GraphicExportDialog.java:738: drawAll(java.awt.Graphics2D) 
in geogebra.euclidian.DrawableList cannot be applied to 
(geogebra.export.SVGExtensions)
ev.drawLayers[layer].drawAll(g);
^
src/geogebra/export/GraphicExportDialog.java:742: cannot find symbol
symbol  : method endExport()
location: class geogebra.export.SVGExtensions
g.endExport();
 ^
src/geogebra/gui/util/BrowserLauncher.java:36: warning: non-varargs call of 
varargs method with inexact argument type for last parameter;
cast to java.lang.Class for a varargs call
cast to java.lang.Class[] for a non-varargs call and to suppress this warning
  Method getDesktop = desktopClass.getDeclaredMethod(getDesktop, 
null);   
   ^
src/geogebra/gui/util/BrowserLauncher.java:38: warning: non-varargs call of 
varargs method with inexact argument type for last parameter;
cast to java.lang.Object for a varargs call
cast to java.lang.Object[] for a non-varargs call and to suppress this warning
  Object desktopObj = getDesktop.invoke(null, null); 
  ^
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input fi
-

The rebuilt package misses a symlink. The binary package currently shipped with 
stable contains this:

/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/libfreehep-graphicsio-svg-java
/usr/share/doc/libfreehep-graphicsio-svg-java/changelog.Debian.gz
/usr/share/doc/libfreehep-graphicsio-svg-java/copyright
/usr/share/maven-repo
/usr/share/maven-repo/org
/usr/share/maven-repo/org/freehep
/usr/share/maven-repo/org/freehep/freehep-graphicsio-svg
/usr/share/maven-repo/org/freehep/freehep-graphicsio-svg/debian

Bug#735420: libspring-java: CVE-2013-6429 CVE-2013-6430

2014-01-15 Thread Moritz Muehlenhoff

Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole

Please see
http://www.gopivotal.com/security/cve-2013-6429
http://www.gopivotal.com/security/cve-2013-6430

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#733938: libxml-security-java: CVE-2013-4517

2014-01-02 Thread Moritz Muehlenhoff

Package: libxml-security-java
Severity: grave
Tags: security
Justification: user security hole

Please see http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc

Please prepare updated oldstable-security/stable-securitypackages for this issue
and CVE-2013-2172 (as fixed in 1.5.5-2) and contact t...@security.debian.org
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#732708: jenkins: CVE-2013-5573

2013-12-20 Thread Moritz Muehlenhoff

Package: jenkins
Severity: important
Tags: security

Please see http://seclists.org/fulldisclosure/2013/Dec/159

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

2013-12-11 Thread Moritz Muehlenhoff

On Mon, Dec 02, 2013 at 09:56:04AM +0100, Moritz Muehlenhoff wrote:

 CVE-2013-6407:
 https://issues.apache.org/jira/browse/SOLR-3895

An additional CVE ID has been assigned to this issue: CVE-2012-6612
 
Cheers,
   Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

2013-12-02 Thread Moritz Muehlenhoff

Package: lucene-solr
Severity: grave
Tags: security
Justification: user security hole

CVE-2013-6397:
https://issues.apache.org/jira/browse/SOLR-4882

CVE-2013-6407:
https://issues.apache.org/jira/browse/SOLR-3895

CVE-2013-6408:
https://issues.apache.org/jira/browse/SOLR-4881

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#730457: jenkins: CVE-2013-6372 CVE-2013-6373 CVE-2013-6374

2013-11-25 Thread Moritz Muehlenhoff

Package: jenkins
Severity: grave
Tags: security
Justification: user security hole

Please see 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
 for
references and patches.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#726601: libcommons-fileupload-java: CVE-2013-218

2013-10-16 Thread Moritz Muehlenhoff

Package: libcommons-fileupload-java
Severity: grave
Tags: security
Justification: user security hole

Red Hat fixed a security issue Commons FileUpload:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#722290: Please migrate from ffmpeg to libav-tools

2013-09-09 Thread Moritz Muehlenhoff

Package: jsymphonic
Severity: normal
User: pkg-multimedia-maintain...@lists.alioth.debian.org
Usertags: ffmpeg-removal

The ffmpeg binary package is no longer provided from libav.

Please port your package to the avconv tools from libav-tools.

Cheers,
Moritz

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#720902: libspring-java: CVE-2013-4152

2013-08-26 Thread Moritz Muehlenhoff

Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152 for 
details.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#717031: libjgroups-java: CVE-2013-4112

2013-07-16 Thread Moritz Muehlenhoff

Package: libjgroups-java
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4112

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#716937: openjpa: CVE-2013-1768

2013-07-14 Thread Moritz Muehlenhoff

Package: openjpa
Severity: grave
Tags: security
Justification: user security hole

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#707704: tomcat7: CVE-2013-2071

2013-05-10 Thread Moritz Muehlenhoff

Package: tomcat7
Severity: important
Tags: security

Three security issues were reported in tomcat today:
http://tomcat.apache.org/security-7.html

CVE-2013-2067 and CVE-2012-3544 were made public today, but already fixed in 
past
releases. Hence, in comparison to stable/oldstable sid is already fixed.

Note that CVE-2013-2067 and CVE-2012-3544 also affect tomcat6. tomcat6 should
be removed now that wheezy is released.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546

2012-12-07 Thread Moritz Muehlenhoff

On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote:
 On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
  Package: tomcat6
  Severity: grave
  Tags: security
  Justification: user security hole
  
  More Tomcat security issues have been disclosed:
  http://tomcat.apache.org/security-6.html
  
  The page contains links to the upstream fixes.
  
  BTW, is there a specific reason why both tomcat6 and tomcat7 are present in 
  Wheezy?
  This will duplicate all efforts for security updates in Wheezy.
 
 Hi Moritz,
 
 I have an updated package that includes the patches for these 3 CVEs and
 am doing some smoke-testing now.  But before I upload, I have a question
 about what is permissible to include in the upload.  I'd like to rename
 the patches that were included in the 6.0.35-5+nmu1 upload so they
 follow the same naming convention as the other patches in the package
 and include the origin patch header.  (As you point out, after all,
 we'll be supporting this package for a long time to come.)  Also, I'd
 like to quilt refresh the patches in the package, as they're getting a
 bit fuzzy.  So, no substantive or real packaging changes, but the
 interdiff will be a bit larger.  Is that okay, or should I upload with
 only the new patches for the CVEs applied?

Release managers are busy enough already, so please keep it as minimal
as possible.
 
 Regarding tomcat6 and tomcat7, although they are certainly related, they
 implement different versions of the servlet and JSP specifications [1],
 and there are a number still organizations running applications
 developed for/tested on tomcat6 in production.  There is a migration
 guide for going from 6.x to 7.x that must be taken into consideration [2].
 
 But specifically for Debian, there are still a number of packages in
 wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
 According to popcon, tomcat6 is about 5x more popular than tomcat7, and
 libservlet2.5 is quite popular indeed [3,4].

Ok, but tomcat6 should be removed for jessie, then.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546

2012-12-05 Thread Moritz Muehlenhoff

Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole

More Tomcat security issues have been disclosed:
http://tomcat.apache.org/security-6.html

The page contains links to the upstream fixes.

BTW, is there a specific reason why both tomcat6 and tomcat7 are present in 
Wheezy?
This will duplicate all efforts for security updates in Wheezy.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#695251: tomcat7: CVE-2012-4431 CVE-2012-4534 CVE-2012-3546

2012-12-05 Thread Moritz Muehlenhoff

Package: tomcat7
Severity: grave
Tags: security
Justification: user security hole

New security issues in Tomcat have been disclosed:
http://tomcat.apache.org/security-7.html

The page contains links to upstream fixes.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#694694: jruby: CVE-2012-5370

2012-11-29 Thread Moritz Muehlenhoff

Package: jruby
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see the Red Hat bug for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692650: axis: CVE-2012-5784

2012-11-07 Thread Moritz Muehlenhoff

Package: axis
Severity: grave
Tags: security
Justification: user security hole

CVE-2012-5784 has been assigned to Axis being affected by the issues
described in this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
(See Section 8.1)

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692439: tomcat6: CVE-2012-2733 CVE-2012-3439

2012-11-06 Thread Moritz Muehlenhoff

Package: tomcat6
Severity: grave
Tags: security
Justification: user security hole

Please see http://tomcat.apache.org/security-6.html

Since Wheezy is frozen, please apply isolated security fixes and do not update
to a new upstream release.

BTW, is it really necessary to have both tomcat6 and tomcat7 in Wheezy? 
Shouldn't
tomcat6 be dropped in favour of tomcat7?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439

2012-11-06 Thread Moritz Muehlenhoff

Package: tomcat7
Severity: grave
Tags: security
Justification: user security hole

Please see http://tomcat.apache.org/security-7.html

Since Wheezy is frozen, please apply isolated security fixes instead
of updating to a new upstream release.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#692442: CVE-2012-5783: Insecure certificate validation

2012-11-06 Thread Moritz Muehlenhoff

Package: commons-httpclient
Severity: important
Tags: security

Please see Section 7.5 of this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

This has been assigned CVE-2012-5783. I'm not sure if we can backport more
correct certificate validation to 3.x, but independent of that it might
make sense to introduce the 4.x codebase to the archive?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#688298: jenkins: Multiple security issues

2012-09-21 Thread Moritz Muehlenhoff

Package: jenkins
Severity: grave
Tags: security
Justification: user security hole

Please see 
http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb

CVE IDs have been assigned:
http://seclists.org/oss-sec/2012/q3/521

Remember Debian is frozen, so please upload only minimal fixes and and ask for a
freeze exception by filing a bug against release.debian.org

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#686867: jruby: CVE-2011-4838

2012-09-20 Thread Moritz Muehlenhoff

On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote:
 On 09/20/2012 07:05 AM, Hideki Yamane wrote:
   It's my mistake that using static version for symlink... sorry for the 
  mess.
   And a bit confusion for versioning, so prepared fix as below.
   If it seems to be okay, I'll upload to unstable.
 
 Hello Hideki,
 
 Thank you for the quick response.  The 2nd patch you supplied looks good
 to me.
 
 Also, I determined that I can build the jruby package successfully
 against the nailgun package in wheezy, which I think might be preferable
 anyway since this is a security bug that is being targeted for wheezy
 (right?).  The dependency on nailgun is a build-dep only, meaning that
 it doesn't appear in the jruby Depends, and jruby is an architecture
 any package.
 
 Moritz, for this bug with respect to wheezy, would you prefer that an
 updated package be uploaded to unstable + an unblock request, or would
 this be a case for targeting testing-security?

testing-security doesn't work currently (only testing-proposed-updates works),
so getting this via unstable (urgency=medium) and an unblock request is the
way to go forward.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#686867: jruby: CVE-2011-4838

2012-09-06 Thread Moritz Muehlenhoff

Package: jruby
Severity: grave
Tags: security
Justification: user security hole

Hi,
jruby in Wheezy is still affected by 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 
   
http://www.nruns.com/_downloads/advisory28122011.pdf



Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#677194: CVE-2012-2672

2012-06-12 Thread Moritz Muehlenhoff

Package: mojarra
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2672

I'm not sure if Debian is affected, please verify.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#674448: CVE-2012-2098

2012-05-24 Thread Moritz Muehlenhoff

Package: libcommons-compress-java
Version: 1.2-1
Severity: grave
Tags: security

Please see https://commons.apache.org/compress/security.html

Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
it through a point update for Squeeze 6.0.6.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#670901: Spring: Multiple security issues

2012-04-30 Thread Moritz Muehlenhoff

Package: libspring-security-2.0-java
Severity: grave
Tags: security

Please see 
http://www.securityfocus.com/archive/1/519593/30/0/threaded
http://www.springsource.com/security/cve-2011-2731
http://www.springsource.com/security/cve-2011-2732
http://www.springsource.com/security/cve-2011-2894

CVE-2011-2894 seems to affect libspring-java? If so, please clone or 
reassign as needed.

CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or 
reassign as needed.

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#667601: Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS

2012-04-05 Thread Moritz Muehlenhoff

Package: commons-beanutils
Version: 1.8.3-2
Severity: serious
Tags: patch

Similar story to 667000, 667011 and 667016 (caused by new Maven helper):

Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS.

Patch attached.

Cheers,
Moritz
UCS Bug #26186

diff -aur commons-beanutils-1.8.3.orig/debian/libcommons-beanutils-java.poms 
commons-beanutils-1.8.3/debian/libcommons-beanutils-java.poms
--- commons-beanutils-1.8.3.orig/debian/libcommons-beanutils-java.poms  
2011-09-22 23:34:25.0 +0200
+++ commons-beanutils-1.8.3/debian/libcommons-beanutils-java.poms   
2012-03-20 22:03:56.0 +0100
@@ -23,4 +23,5 @@
 #   --ignore-pom: don't install the POM with mh_install or mh_installpoms. To 
use with POM files that are created
 # temporarily for certain artifacts such as Javadoc jars.
 #
-pom.xml --no-parent --has-package-version
+pom.xml --no-parent --has-package-version --java-lib
+
Nur in commons-beanutils-1.8.3/debian: libcommons-beanutils-java.poms~.
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#657870: Multiple issues in Struts

2012-04-05 Thread Moritz Muehlenhoff

There was another report for a Struts security issue:

CVE-2012-1592:
http://seclists.org/bugtraq/2012/Mar/110

Can you please contact upstream, whether this needs to be fixed in
our Struts 1.2?

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#667000: Rebuilding objenesis from source makes mockito FTBFS

2012-04-03 Thread Moritz Muehlenhoff

Package: objenesis
Version: 1.2+full-1
Severity: serious

I'm filing this against objenesis, since this appears to be where the error
is coming from. mockito builds fine if I use the pre-built deb from the
archive. However, when recompiling objenesis in sid and installing the
resulting binaries, mockito no longer builds correctly:

jh_build mockito-core-1.9.0.jar org/
find org/ -name *.java -and -type f -print0 | xargs -0 
/usr/lib/jvm/default-java/bin/javac -cp 
/usr/share/java/objenesis.jar:/usr/share/java/cglib.jar:/usr/share/java/hamcrest-core.jar:/usr/share/java/asm3.jar:/usr/share/java/junit4.jar:debian/_jh_build.mockito-core-1.9.0
 -d debian/_jh_build.mockito-core-1.9.0 -source 1.5
ClonesArguments.java:11: package org.objenesis does not exist
import org.objenesis.ObjenesisHelper;
^
ThrowsExceptionClass.java:11: package org.objenesis does not exist
import org.objenesis.ObjenesisHelper;
^
ClassImposterizer.java:14: package org.objenesis does not exist
import org.objenesis.ObjenesisStd;
^
ClassImposterizer.java:28: cannot find symbol
symbol  : class ObjenesisStd
location: class org.mockito.internal.creation.jmock.ClassImposterizer
private ObjenesisStd objenesis = new ObjenesisStd();
^
ClonesArguments.java:20: cannot find symbol
symbol  : variable ObjenesisHelper
location: class org.mockito.internal.stubbing.answers.ClonesArguments
Object newInstance = ObjenesisHelper.newInstance(from.getClass());
 ^
ThrowsExceptionClass.java:27: cannot find symbol
symbol  : variable ObjenesisHelper
location: class org.mockito.internal.stubbing.answers.ThrowsExceptionClass
Throwable throwable = (Throwable) 
ObjenesisHelper.newInstance(throwableClass);
  ^
ClassImposterizer.java:28: cannot find symbol
symbol  : class ObjenesisStd
location: class org.mockito.internal.creation.jmock.ClassImposterizer
private ObjenesisStd objenesis = new ObjenesisStd();
 ^
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
7 errors
make[1]: *** [override_jh_build] Error 123
make[1]: Leaving directory `/home/jmm/mockito-1.9.0+ds1'
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Diffing the file lists between the version in the archive and the
rebuilt version shows that these files are missing after the rebuild:

/usr/share/java/objenesis-1.2.jar
/usr/share/java/objenesis.jar

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#667016: Rebuilding jtidy in sid makes lucene FTBFS

2012-04-03 Thread Moritz Muehlenhoff

Package: jtidy
Version: 7+svn20110807-3
Severity: serious

This is a similar bug to 667000 and 667011:
Rebuilding jtidy in sid makes lucene2 fail to build from source:

[..]

common.compile-core:
[mkdir] Created dir: 
/var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/build/contrib/ant/classes/java
[javac] 
/var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/common-build.xml:567:
 warning: 'includeantruntime' was not set, defaulting to 
build.sysclasspath=last; set to false for repeatable builds
[javac] Compiling 7 source files to 
/var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/build/contrib/ant/classes/java
[javac] HtmlDocument.java:25: package org.w3c.tidy does not exist
[javac] import org.w3c.tidy.Tidy;
[javac]^
[javac] HtmlDocument.java:60: cannot find symbol
[javac] symbol  : class Tidy
[javac] location: class org.apache.lucene.ant.HtmlDocument
[javac] Tidy tidy = new Tidy();
[javac] ^
[javac] HtmlDocument.java:60: cannot find symbol
[javac] symbol  : class Tidy
[javac] location: class org.apache.lucene.ant.HtmlDocument
[javac] Tidy tidy = new Tidy();
[javac] ^
[javac] HtmlDocument.java:82: cannot find symbol
[javac] symbol  : class Tidy
[javac] location: class org.apache.lucene.ant.HtmlDocument
[javac] Tidy tidy = new Tidy();
[javac] ^
[javac] HtmlDocument.java:82: cannot find symbol
[javac] symbol  : class Tidy
[javac] location: class org.apache.lucene.ant.HtmlDocument
[javac] Tidy tidy = new Tidy();
[javac] ^
[javac] HtmlDocument.java:99: cannot find symbol
[javac] symbol  : class Tidy
[javac] location: class org.apache.lucene.ant.HtmlDocument
[javac] Tidy tidy = new Tidy();
[javac] ^

[..]

Cheers,
Moritz



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#663548: stapler: FTBFS: IO error: opening debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar for read : No such file or directory

2012-03-12 Thread Moritz Muehlenhoff

Package: stapler
Version: 1.174-1
Severity: serious

Your package fails to build from source:

dh_bugfiles -plibstapler-java 
dh_install -plibstapler-java  
dh_link -plibstapler-java  
dh_buildinfo -plibstapler-java 
dh_installmime -plibstapler-java 
dh_installgsettings -plibstapler-java 
jh_installlibs -plibstapler-java 
jh_classpath -plibstapler-java 
IO error: opening 
debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar for 
read : No such file or directory 
 at /usr/share/perl5/Archive/Zip/Archive.pm line 546
Archive::Zip::Archive::read('Archive::Zip::Archive=HASH(0xad8fd0)', 
'debian/libstapler-java/debian/libstapler-java//usr/share/java...') called at 
/usr/bin/jh_manifest line 295

main::update_jar('debian/libstapler-java/debian/libstapler-java//usr/share/java...',
 undef) called at /usr/bin/jh_manifest line 142
jh_manifest: Could not read 
debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar: No 
such file or directory
make: *** [binary-post-install/libstapler-java] Error 1
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#663569: libspring-webflow-2.0-java: FTBFS: libspring-webflow-2.0-java-2.0.9.RELEASE/debian/build.xml:46: Compile failed; see the compiler error output for details.

2012-03-12 Thread Moritz Muehlenhoff

Package: libspring-webflow-2.0-java
Version: 2.0.9.RELEASE-3
Severity: serious

Your package fails to build from source:

jar-spring-js:
  [jar] Building jar: 
/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/dist/spring-js-2.0.9.RELEASE.jar

compile-spring-webflow:
[javac] Compiling 311 source files to 
/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/build
[javac] WebFlowUpgrader.java:34: warning: 
com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory is internal 
proprietary API and may be removed in a future release
[javac] import 
com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory;
[javac]  ^
[javac] ConversationScope.java:25: 
org.springframework.webflow.scope.ConversationScope is not abstract and does 
not override abstract method resolveContextualObject(java.lang.String) in 
org.springframework.beans.factory.config.Scope
[javac] public class ConversationScope extends AbstractWebFlowScope {
[javac]^
[javac] FlashScope.java:25: org.springframework.webflow.scope.FlashScope is 
not abstract and does not override abstract method 
resolveContextualObject(java.lang.String) in 
org.springframework.beans.factory.config.Scope
[javac] public class FlashScope extends AbstractWebFlowScope {
[javac]^
[javac] FlowScope.java:25: org.springframework.webflow.scope.FlowScope is 
not abstract and does not override abstract method 
resolveContextualObject(java.lang.String) in 
org.springframework.beans.factory.config.Scope
[javac] public class FlowScope extends AbstractWebFlowScope {
[javac]^
[javac] RequestScope.java:25: 
org.springframework.webflow.scope.RequestScope is not abstract and does not 
override abstract method resolveContextualObject(java.lang.String) in 
org.springframework.beans.factory.config.Scope
[javac] public class RequestScope extends AbstractWebFlowScope {
[javac]^
[javac] ViewScope.java:25: org.springframework.webflow.scope.ViewScope is 
not abstract and does not override abstract method 
resolveContextualObject(java.lang.String) in 
org.springframework.beans.factory.config.Scope
[javac] public class ViewScope extends AbstractWebFlowScope {
[javac]^
[javac] WebFlowUpgrader.java:87: warning: 
com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory is internal 
proprietary API and may be removed in a future release
[javac] 
transformer.setOutputProperty(OutputPropertiesFactory.S_KEY_INDENT_AMOUNT, 4);
[javac]   ^
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] 5 errors
[javac] 2 warnings

BUILD FAILED
/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/debian/build.xml:46: Compile 
failed; see the compiler error output for details.

Total time: 16 seconds
make[1]: *** [override_dh_auto_install] Error 1
make[1]: Leaving directory `/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE'
make: *** [binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#663106: libcommons-discovery-java: FTBFS: No jar in libcommons-discovery-java matching usr/share/java/commons-discovery.jar.

2012-03-08 Thread Moritz Muehlenhoff

Package: libcommons-discovery-java
Version: 0.5-2
Severity: serious

Your package fails to build from source:

[INFO] BUILD SUCCESSFUL
[INFO] 
[INFO] Total time: 2 seconds
[INFO] Finished at: Wed Mar 07 12:08:03 CET 2012
[INFO] Final Memory: 4M/10M
[INFO] 
cp debian/libcommons-discovery-java.substvars 
debian/libcommons-discovery-java-doc.substvars
# cleanup generated docs
rm -f -f target/apidocs/*.sh target/apidocs/options 
Adding cdbs dependencies to debian/libcommons-discovery-java.substvars
dh_installdirs -plibcommons-discovery-java 
jh_installjavadoc -plibcommons-discovery-java 
Adding cdbs dependencies to debian/libcommons-discovery-java-doc.substvars
dh_installdirs -plibcommons-discovery-java-doc 
jh_installjavadoc -plibcommons-discovery-java-doc 
dh_installdocs -plibcommons-discovery-java ./TODO 
dh_installexamples -plibcommons-discovery-java 
dh_installman -plibcommons-discovery-java  
dh_installinfo -plibcommons-discovery-java  
dh_installmenu -plibcommons-discovery-java 
dh_installcron -plibcommons-discovery-java 
dh_installinit -plibcommons-discovery-java  
dh_installdebconf -plibcommons-discovery-java 
dh_installemacsen -plibcommons-discovery-java   
dh_installcatalogs -plibcommons-discovery-java 
dh_installpam -plibcommons-discovery-java 
dh_installlogrotate -plibcommons-discovery-java 
dh_installlogcheck -plibcommons-discovery-java 
dh_installchangelogs -plibcommons-discovery-java  
dh_installudev -plibcommons-discovery-java 
dh_lintian -plibcommons-discovery-java 
dh_bugfiles -plibcommons-discovery-java 
dh_install -plibcommons-discovery-java  
dh_link -plibcommons-discovery-java  
dh_buildinfo -plibcommons-discovery-java 
dh_installmime -plibcommons-discovery-java 
dh_installgsettings -plibcommons-discovery-java 
jh_installlibs -plibcommons-discovery-java 
jh_classpath -plibcommons-discovery-java 
jh_manifest -plibcommons-discovery-java 
jh_manifest: No jar in libcommons-discovery-java matching 
usr/share/java/commons-discovery.jar.
make: *** [binary-post-install/libcommons-discovery-java] Error 1
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#662807: junit4: FTBFS

2012-03-06 Thread Moritz Muehlenhoff

Package: junit4
Version: 4.8.2-2
Severity: serious

Your package fails to build from source:

compile:
[mkdir] Created dir: /home/jmm/junit4-4.8.2/build/generated-sources
[javac] /usr/share/maven-ant-helper/maven-build.xml:337: warning: 
'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to 
false for repeatable builds
[javac] Compiling 154 source files to /home/jmm/junit4-4.8.2/build/classes
[javac] CombinableMatcher.java:27: invalid inferred types for T; actual 
arguments do not conforms to inferred formal arguments
[javac] required: org.hamcrest.Matcher? super java.lang.Object[]
[javac] found: org.hamcrest.Matchercapture#428 of ? extends 
T,org.hamcrest.Matchercapture#896 of ? extends T
[javac] return new CombinableMatcherT(allOf(matcher, 
fMatcher));
[javac]  ^
[javac] CombinableMatcher.java:32: invalid inferred types for T; actual 
arguments do not conforms to inferred formal arguments
[javac] required: org.hamcrest.Matcher? super java.lang.Object[]
[javac] found: org.hamcrest.Matchercapture#304 of ? extends 
T,org.hamcrest.Matchercapture#323 of ? extends T
[javac] return new CombinableMatcherT(anyOf(matcher, 
fMatcher));
[javac]  ^
[javac] IsCollectionContaining.java:44: incompatible types
[javac] found   : org.hamcrest.Matcherjava.lang.Iterablejava.lang.Object
[javac] required: org.hamcrest.Matcherjava.lang.IterableT
[javac] return hasItem(equalTo(element));
[javac]   ^
[javac] IsCollectionContaining.java:54: cannot find symbol
[javac] symbol  : method allOf(java.util.Collectionorg.hamcrest.Matcher? 
extends java.lang.IterableT)
[javac] location: class 
org.junit.internal.matchers.IsCollectionContainingT
[javac] return allOf(all);
[javac]^
[javac] IsCollectionContaining.java:64: cannot find symbol
[javac] symbol  : method allOf(java.util.Collectionorg.hamcrest.Matcher? 
extends java.lang.IterableT)
[javac] location: class 
org.junit.internal.matchers.IsCollectionContainingT
[javac] return allOf(all);
[javac]^
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] 5 errors

BUILD FAILED
/usr/share/maven-ant-helper/maven-build.xml:337: Compile failed; see the 
compiler error output for details.

Total time: 7 seconds
make: *** [debian/stamp-ant-build] Error 1
dpkg-buildpackage: error: debian/rules build gave error exit status 2



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#662811: jmock2: FTBFS

2012-03-06 Thread Moritz Muehlenhoff

Package: jmock2
Version: 2.5.1+dfsg-1
Severity: serious

Your package fails to build from source:

compile:
[mkdir] Created dir: /home/jmm/jmock2-2.5.1+dfsg/build/classes
[javac] /home/jmm/jmock2-2.5.1+dfsg/build.xml:61: warning: 
'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to 
false for repeatable builds
[javac] Compiling 175 source files to 
/home/jmm/jmock2-2.5.1+dfsg/build/classes
[javac] Money.java:30: warning: unmappable character for encoding ASCII
[javac] return ?? + amount;
[javac] ^
[javac] Money.java:30: warning: unmappable character for encoding ASCII
[javac] return ?? + amount;
[javac]  ^
[javac] HamcrestTypeSafetyAcceptanceTests.java:3: cannot find symbol
[javac] symbol  : class OrderingComparisons
[javac] location: package org.hamcrest.number
[javac] import static org.hamcrest.number.OrderingComparisons.greaterThan;
[javac]  ^
[javac] HamcrestTypeSafetyAcceptanceTests.java:3: static import only from 
classes and interfaces
[javac] import static org.hamcrest.number.OrderingComparisons.greaterThan;
[javac] ^
[javac] HamcrestTypeSafetyAcceptanceTests.java:4: cannot find symbol
[javac] symbol  : class StringStartsWith
[javac] location: package org.hamcrest.text
[javac] import static org.hamcrest.text.StringStartsWith.startsWith;
[javac]^
[javac] HamcrestTypeSafetyAcceptanceTests.java:4: static import only from 
classes and interfaces
[javac] import static org.hamcrest.text.StringStartsWith.startsWith;
[javac] ^
[javac] Expectations.java:187: incompatible types
[javac] found   : capture#417 of ? super java.lang.Boolean
[javac] required: boolean
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:191: incompatible types
[javac] found   : capture#174 of ? super java.lang.Byte
[javac] required: byte
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:195: incompatible types
[javac] found   : capture#436 of ? super java.lang.Short
[javac] required: short
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:199: incompatible types
[javac] found   : capture#151 of ? super java.lang.Character
[javac] required: char
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:203: incompatible types
[javac] found   : capture#17 of ? super java.lang.Integer
[javac] required: int
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:207: incompatible types
[javac] found   : capture#395 of ? super java.lang.Long
[javac] required: long
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:211: incompatible types
[javac] found   : capture#740 of ? super java.lang.Float
[javac] required: float
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:215: incompatible types
[javac] found   : capture#78 of ? super java.lang.Double
[javac] required: double
[javac] return with(equalTo(value));
[javac]^
[javac] Expectations.java:219: incompatible types
[javac] found   : capture#875 of ? super T
[javac] required: T
[javac] return with(equalTo(value));
[javac]^
[javac] HamcrestTypeSafetyAcceptanceTests.java:26: cannot find symbol
[javac] symbol: method startsWith(java.lang.String)
[javac] exactly(1).of 
(anything()).method(withName(m)).with(startsWith(x));
[javac]   ^
[javac] HamcrestTypeSafetyAcceptanceTests.java:27: cannot find symbol
[javac] symbol: method greaterThan(int)
[javac] exactly(1).of 
(anything()).method(withName(m)).with(greaterThan(0));
[javac]   ^
[javac] InvocationExpectationTests.java:75: 
setParametersMatcher(org.hamcrest.Matcherjava.lang.Object[]) in 
org.jmock.internal.InvocationExpectation cannot be applied to 
(org.hamcrest.Matchercapture#843 of ? super java.lang.Object[])
[javac] expectation.setParametersMatcher(equalTo(args));
[javac]^
[javac] Note: JMock.java uses or overrides a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] 17 errors
[javac] 2 warnings

BUILD FAILED
/home/jmm/jmock2-2.5.1+dfsg/build.xml:61: Compile failed; see the compiler 
error output for details.

Total time: 7 seconds
make: *** [debian/stamp-ant-build]

Bug#661691: FTBFS

2012-02-29 Thread Moritz Muehlenhoff

Package: jenkins-crypto-util
Version: 1.1-1
Severity: serious

Your package fails to build from source:

[INFO] Compiling 2 source files to 
/home/jmm/jenkins-crypto-util-1.1/target/classes
[INFO] [resources:testResources {execution: default-testResources}]
[WARNING] Using platform encoding (ANSI_X3.4-1968 actually) to copy filtered 
resources, i.e. build is platform dependent!
[INFO] Copying 3 resources
[INFO] [compiler:testCompile {execution: default-testCompile}]
[INFO] Compiling 1 source file to 
/home/jmm/jenkins-crypto-util-1.1/target/test-classes
[INFO] [surefire:test {execution: default-test}]
[INFO] Surefire report directory: 
/home/jmm/jenkins-crypto-util-1.1/target/surefire-reports

---
 T E S T S
---
Running org.jvnet.hudson.crypto.PKIXTest
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.766 sec  
FAILURE!

Results :

Tests in error: 
  testPathValidation(org.jvnet.hudson.crypto.PKIXTest): timestamp check failed

Tests run: 1, Failures: 0, Errors: 1, Skipped: 0

[INFO] 
[ERROR] BUILD FAILURE
[INFO] 
[INFO] There are test failures.

Please refer to /home/jmm/jenkins-crypto-util-1.1/target/surefire-reports for 
the individual test results.
[INFO] 
[INFO] For more information, run Maven with the -e switch
[INFO] 
[INFO] Total time: 8 seconds
[INFO] Finished at: Wed Feb 29 12:04:35 CET 2012
[INFO] Final Memory: 12M/30M
[INFO] 
make: *** [mvn-build] Error 1
dpkg-buildpackage: error: debian/rules build gave error exit status 2



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

1 2 >

1 - 100 of 135 matches

Mail list logo