Hi, Am 16.01.20 um 21:27 schrieb Salvatore Bonaccorso: > Source: libxmlrpc3-java > Version: 3.1.3-9 > Severity: grave > Tags: security upstream > Justification: user security hole > > Hi, > > The following vulnerability was published for libxmlrpc3-java. > > CVE-2019-17570[0]: > | Deserialization of server-side exception from faultCause in XMLRPC > | error response > > That said, should libxmlrpc3-java rather be removed from unstable, and > not included in bullseye?
[...] It looks like starjava-topcat is the only package that build-depends on libxmlrpc3-java at the moment (need to check that again). I think the issue itself can be fixed by the proposed Red Hat patch, making the use of some parts of the vulnerable method conditional on a set property. Since Apache xml-rpc is EOL it makes sense to remove it from Debian though. I will file a bug report for starjava-topcat and then let's see how it goes. Regards, Markus
signature.asc
Description: OpenPGP digital signature
