Your message dated Mon, 16 Jan 2023 19:02:36 +0000 with message-id <e1phuke-00gr7m...@fasolo.debian.org> and subject line Bug#1027754: fixed in libxstream-java 1.4.15-3+deb11u2 has caused the Debian Bug report #1027754, regarding libxstream-java: CVE-2022-41966 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1027754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libxstream-java Version: 1.4.19-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libxstream-java. CVE-2022-41966[0]: | XStream serializes Java objects to XML and back again. Versions prior | to 1.4.20 may allow a remote attacker to terminate the application | with a stack overflow error, resulting in a denial of service only via | manipulation the processed input stream. The attack uses the hash code | implementation for collections and maps to force recursive hash | calculation causing a stack overflow. This issue is patched in version | 1.4.20 which handles the stack overflow and raises an | InputManipulationException instead. A potential workaround for users | who only use HashMap or HashSet and whose XML refers these only as | default map or set, is to change the default implementation of | java.util.Map and java.util per the code example in the referenced | advisory. However, this implies that your application does not care | about the implementation of the map and all elements are comparable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-41966 https://www.cve.org/CVERecord?id=CVE-2022-41966 [1] https://x-stream.github.io/CVE-2022-41966.html [2] https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv [3] https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxstream-java Source-Version: 1.4.15-3+deb11u2 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of libxstream-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1027...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libxstream-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Jan 2023 14:23:28 CET Source: libxstream-java Architecture: source Version: 1.4.15-3+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Checksums-Sha1: b274f169228ba7487b5b3d8df6c8aa46682989cb 2555 libxstream-java_1.4.15-3+deb11u2.dsc cc4b296584d741f00c0587fe56689fd7113271da 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz f3fb64457668b35c91738deb509e24a26a177b18 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo Checksums-Sha256: 0ccb15fa8d14ee141119a43a8a9de821c9e2495e258ce820f0b9939863feb624 2555 libxstream-java_1.4.15-3+deb11u2.dsc b49e81296f977c41d4f0098879c0fd21087de1f0d08c3eb137b1746e18919192 13324 libxstream-java_1.4.15-3+deb11u2.debian.tar.xz d5d7be1d63bc738c6ba7651403d4cb912aa09ce254b0b9f0a38b60ff57b7468f 16945 libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo Closes: 1027754 Changes: libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high . * Team upload. * Fix CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.15-3+deb11u2 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.15-3+deb11u2 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. (Closes: #1027754) Files: 0becd63a0f3fb7e3b288e21fe50b0cab 2555 java optional libxstream-java_1.4.15-3+deb11u2.dsc 308bb0d5b0b81a60003249cc56954dbe 13324 java optional libxstream-java_1.4.15-3+deb11u2.debian.tar.xz 59efd90e3a59d6734b2b517fbde69f26 16945 java optional libxstream-java_1.4.15-3+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmO+uFhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk5PoP/0iW0M/L8C4dy/KOb5GjVgIkV1/IS6QvjMxy Uazjtr7Mhu++izgN31kXOuTgBjPbA7k0hNGmbkrlKlBr3qHp+HR5YNaUMCd3EbrR L52dhIZ/BJo3V+Mq/x7+epYq9uodFOF1QBzVrL87SHSpaWG4ofyG19SRAQDQNARO AAN/tOSLb3+up8BmrA+nN+wBudOE+6rYsLAL3tmZ1fWMQR6ZuM0P7mMYzSmQ+VQi foKYjcdsRHWqopQYQAoVlPfo1v99bsYPFDe5aayRX2U/MCsaCmvM6FHAc5hrKcWW 0xPPw5LOHaZ74o5HeUP+3H5kPTppUvGzg3FDsC5whrf7grRLrAM74QQIqVmHBIIR AZV0CV16fJiDQtqL9NIwBGMoeRhIo+ywudXJQHfK0SIyjpcIdiME97AbycYEwHv+ yya/2XYer+JVV79PFlKOH0z8KW9W5ELKLb03L9WJYJlViw2nPv0XsmP7o6V7s3xN yTCICdSwbM49iVc/Iw+cHQJMPFstpa8oWEMS/Wqzxkmsmiy4JegmHdw/HhIKySH2 +EEEMRFn5G9FWyAXuu6ki+WNHTWG1khH+z2uLPK60Um2ebR5brQB/7L51IsPkQik v/pm2EkVAB9LG/6BGYJIds9De/9maP44YiDknw9K2DiGZg3efWI1lv0zYhzEQCuh e1NuWciA =81uD -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
