Your message dated Wed, 12 Mar 2014 13:33:33 +0000 with message-id <e1wnjhp-0003d9...@franck.debian.org> and subject line Bug#734821: fixed in libxstream-java 1.4.7-1 has caused the Debian Bug report #734821, regarding libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 734821: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libxstream-java Severity: grave Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2013-7285[0]: remote code execution via deserialization in XStream See also [1] for the original report. [3] contains an initial patch which was commited. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://security-tracker.debian.org/tracker/CVE-2013-7285 [1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html [2] http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 [3] https://fisheye.codehaus.org/changelog/xstream?cs=2210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxstream-java Source-Version: 1.4.7-1 We believe that the bug you reported is fixed in the latest version of libxstream-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 734...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated libxstream-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 12 Mar 2014 14:06:33 +0100 Source: libxstream-java Binary: libxstream-java Architecture: source all Version: 1.4.7-1 Distribution: unstable Urgency: low Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libxstream-java - Java library to serialize objects to XML and back again Closes: 734821 Changes: libxstream-java (1.4.7-1) unstable; urgency=low . * New upstream release - Fixes CVE-2013-7285 (Closes: #734821) - Added a dependency on libjdom2-java * Standards-Version updated to 3.9.5 (no changes) * Use XZ compression for the upstream tarball * Build depend on debhelper >= 9 * debian/copyright: Updated to the Copyright Format 1.0 Checksums-Sha1: 684b6cc0d8edae45924832e4eedda12c780cb624 2343 libxstream-java_1.4.7-1.dsc 329882aa8cb64b0ec729d840453a27608f59aba1 397328 libxstream-java_1.4.7.orig.tar.xz 243eb22bca15817712111ca2645a867377ef2a8e 5960 libxstream-java_1.4.7-1.debian.tar.xz a41e3fee90ff5d6361d0538a84ea8afdcf32e33d 583860 libxstream-java_1.4.7-1_all.deb Checksums-Sha256: 8698da0a6520f6ab54efadad2e98c5d5e51f37faf0506b155208db85304bc3f2 2343 libxstream-java_1.4.7-1.dsc 33aeb2217d2dd3734abcd6cc6f3d3283fed2646e4cbc79102d5237a099738eed 397328 libxstream-java_1.4.7.orig.tar.xz 08c314aa33cb9164620110466cbe106369aedcc1e8718f1551bcce347c63004a 5960 libxstream-java_1.4.7-1.debian.tar.xz 5a191aa57415acd1c5fb2f6af53ea7f751c615abb8bf9b00a9070f58cb19d322 583860 libxstream-java_1.4.7-1_all.deb Files: c8d6431cf68e71eda78e67e950e079aa 2343 java optional libxstream-java_1.4.7-1.dsc 09de7d2175bdc6c002aa681e3004d8d6 397328 java optional libxstream-java_1.4.7.orig.tar.xz 3e72fa42334aaed7ec2248a9ffd3ccf1 5960 java optional libxstream-java_1.4.7-1.debian.tar.xz 72573fdd9319ffae8b1d9dafd65e2c02 583860 java optional libxstream-java_1.4.7-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTIF7aAAoJEPUTxBnkudCs+a4P/j+JXVoQeggxQ7CJUNrv/9Gr XkGmG2ggPugGcdFcQ+VcMNwNHLoQc+kjgPUJltfoFR2SdXXtyj25ObZMfNKIe1Kk yeospGr9CbGXwwCLLn30HFX/jPSxizcGMn9LecFtw5K0zgjlxR/lJBAwml/0hHmE vHQ1u1rUCique6HbZYWakuJDp8bY9q+XrRxYJIWIKUNnWKJnp1c/Kch1siBw9XF5 gpAnuAVNpPJ5BdWElRh84GauSOxmiZdt3vIYYu9LO1CaVjcNStck1F9MYDjHLnYU hjRv+0wOyTsNBsgDwGm7pvkc0MF3y05v/rxcS1yw9FVkP7aBk6I8owqgz+DQaQRN CfvZSdAJTbsA9UtnCgsi5XMCx6G0BQSjRNjWfOtEvbzZ2ybFn7igMbJFoS7jATvF lJZhWeT5rFPR5PnjZU3eHukO1Jp/o+2yjRdyfAuuDh83+LCFj87n8W+aCQ5PbHdS lYxHPxQ/4+Bg1lH0Od9ddTMpixNY1OS4vPviUT3OvtUsXj3Rv2YkqwrWiNcuw+0v fhBzRtC2nXBWcBfJ+T96V8GTPYxRX8dYzEAo+hU5ckqkfRU+a0uMfZBw7ygF8xBf KD/7ZZxMqgDNFK3RYHyzJdOraNbWA8zhnlfFjrMfEJ1q6z9gNv8d94dZiKFYxJ8f +Rnu7yy6ohjBobID97WK =0TkV -----END PGP SIGNATURE-----
--- End Message ---
