Your message dated Wed, 19 Nov 2014 13:33:45 +0000 with message-id <e1xr5od-0003qb...@franck.debian.org> and subject line Bug#762690: fixed in libhibernate-validator-java 4.2.1-1 has caused the Debian Bug report #762690, regarding libhibernate-validator-java: affected by CVE-2014-3558 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762690: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762690 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libhibernate-validator-java Severity: serious Tags: security Hi, the following vulnerability was published for libhibernate-validator-java. CVE-2014-3558[0]: It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3558 https://security-tracker.debian.org/tracker/CVE-2014-3558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3558 Please adjust the affected versions in the BTS as needed. The upstream fixes seem very involved and they have been pushed only on newer versions of the package: 4.2.1, 4.3.2, and 5.1.2 respectively. See https://hibernate.atlassian.net/browse/HV-912 Please switch to a new upstream version ASAP in unstable and help the security team and the LTS team to provide patched versions in stable/oldstable. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libhibernate-validator-java Source-Version: 4.2.1-1 We believe that the bug you reported is fixed in the latest version of libhibernate-validator-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 762...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated libhibernate-validator-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 19 Nov 2014 12:37:40 +0100 Source: libhibernate-validator-java Binary: libhibernate-validator-java Architecture: source all Version: 4.2.1-1 Distribution: experimental Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libhibernate-validator-java - Hibernate Validator Closes: 762690 Changes: libhibernate-validator-java (4.2.1-1) experimental; urgency=medium . * Team upload. * New upstream release - Fixes CVE-2014-3558 (Closes: #762690) - Refreshed the patches - Added libjaxb-java, libgeronimo-jpa-2.0-spec-java, libjoda-time-java, libjavassist-java and libmaven-bundle-plugin-java to the build deps * debian/control: - Use canonical URLs for the Vcs-* fields - Standards-Version updated to 3.9.6 (no changes) * debian/watch: Updated to watch the release tags on Github * Removed debian/orig-tar.* and use the Github archive as is * Switch to debhelper level 9 Checksums-Sha1: 8dc6b814da3f7f14f7f3f14bef6b93748b5082f1 2478 libhibernate-validator-java_4.2.1-1.dsc 9fecbbd47b668a308d554fb280e4c92897e6e65e 1678008 libhibernate-validator-java_4.2.1.orig.tar.gz 36ff71db21964b15b1ca4b2c60694b3ab1d15a13 5092 libhibernate-validator-java_4.2.1-1.debian.tar.xz 52e091cc4f67dd704cdf7a0d76dc655d817c191c 361664 libhibernate-validator-java_4.2.1-1_all.deb Checksums-Sha256: 6bf2bb4e1a50468a03e520ce59be5770fa4ea8ce95cb49ffcd9136a52deaab94 2478 libhibernate-validator-java_4.2.1-1.dsc 5111a81b4b7a1118459c7f20bc470db6266926b0fc099a0e917c489d6b6bb194 1678008 libhibernate-validator-java_4.2.1.orig.tar.gz 7645584c45cbe36813227e03170f42604e726debd0765d8e6a9a91c800eab260 5092 libhibernate-validator-java_4.2.1-1.debian.tar.xz 6b0d1fa32f3b2e7f333251b5cb31ff74fa8421760dc75f3511f6c250977f04d4 361664 libhibernate-validator-java_4.2.1-1_all.deb Files: 220fa95ba697851aedd92f1936755b30 2478 java optional libhibernate-validator-java_4.2.1-1.dsc b5afea8a03797363566d34098189da8d 1678008 java optional libhibernate-validator-java_4.2.1.orig.tar.gz 0af54a734414628d5f61d88c0270bfdd 5092 java optional libhibernate-validator-java_4.2.1-1.debian.tar.xz 85547c9898de69debb90aa9fa8abe459 361664 java optional libhibernate-validator-java_4.2.1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUbJlgAAoJEPUTxBnkudCs+VkP/jD7+iBBAUoqA7CUaFZfdaUK tjSARce0tgSQsSUXnAAlAPOHKEgNTUUxhr01MQFT4phKmye7LOgvLwbouGXeRVvW Q0UvRWdTgKkmXoIBIMsxYZf/4ClZsZ2+bj+Hu4FRS0hOypSkp4HhJsM1+DLHlmRE flZpHL7tpef285TfbvPF1QHXkjlvNgbtjTMjalmfh+4wdi4CT0BZR1As/45nmDfD Bkde/ce3XKbaGWBe0nG15VxZCdhSOVSGzQIqiABEMXOSkSggUIjqSLg+BwJbWZIe Ulr8X0zPjjtgNWr6kFzpTCLry8Az34ioYkBg29gciNSxIjflmvWdtBMiYJEiYsgT 8a0rhPTAcJ/r2pPNMpiyYK0hjdGKYuO7gWGASbLolip/iCb8x4VCmVqIciepZMQm sdicOTlJnmw1br2giyn3kq70esK7A215Rj+RHQRPxLM7gD7t2ztP8jigkYHIx8z6 5Y+4St8byQRPjlqdqcg3kdzafBwV2Xaaduc875IMidxTnwKTe35vOObI+XaITsm0 9mXlokb7cxiDL0yUV4IUCQRiSbAw0wDC/87Ag+u8CW5fw+0C78G0E0gvmgUh2Ms9 VOWM6vNPgxeOupfDo28QuYRlQNynhx92HsZzEjgGUTt0I3uG6C/srSRHUKQc8MpX 1VUO2NMDYFF481uSepL8 =E8h4 -----END PGP SIGNATURE-----
--- End Message ---
