Your message dated Sun, 11 Jun 2023 23:28:05 +0000 with message-id <e1q8utd-00da0e...@fasolo.debian.org> and subject line Bug#1033846: fixed in libjettison-java 1.5.4-1 has caused the Debian Bug report #1033846, regarding libjettison-java: CVE-2023-1436 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033846 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libjettison-java Version: 1.5.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/jettison-json/jettison/issues/60 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.5.3-1~deb11u1 Hi, The following vulnerability was published for libjettison-java. CVE-2023-1436[0]: | An infinite recursion is triggered in Jettison when constructing a | JSONArray from a Collection that contains a self-reference in one of | its elements. This leads to a StackOverflowError exception being | thrown. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1436 https://www.cve.org/CVERecord?id=CVE-2023-1436 [1] https://github.com/jettison-json/jettison/issues/60 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libjettison-java Source-Version: 1.5.4-1 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of libjettison-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated libjettison-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 Jun 2023 15:38:24 -0700 Source: libjettison-java Architecture: source Version: 1.5.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1033846 Changes: libjettison-java (1.5.4-1) unstable; urgency=medium . * Team upload. * New upstream version 1.5.4 (Closes: #1033846) - Fix CVE-2023-1436 - Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray Checksums-Sha1: d05a0ba9bf1e39848451c858ca27ed68765c2595 2121 libjettison-java_1.5.4-1.dsc 47dbd15d4b6cbf4f45ecd26d2069d63b495ee54a 72967 libjettison-java_1.5.4.orig.tar.gz fd8a69fca27e7d2d64a9b6ce90d640debb5494f9 3064 libjettison-java_1.5.4-1.debian.tar.xz 5891216dd273861bdc22745f657b35d6553f1d8a 14397 libjettison-java_1.5.4-1_amd64.buildinfo Checksums-Sha256: b79aa263c4d67c92ea467f1a4222006666d0a308c271286bca298d87c15a6113 2121 libjettison-java_1.5.4-1.dsc 4476baee9753de8f85fcf2f7eab8aef50017d8588ca787059012ddb7f811c94f 72967 libjettison-java_1.5.4.orig.tar.gz d39194dac80d46d278f300afa616fc33b870b96a03e4fd79bca1b05fed011225 3064 libjettison-java_1.5.4-1.debian.tar.xz 52a969b0dba62ad0ee4a9b83950157ef5e60682c438bb496f4e6684e47af5300 14397 libjettison-java_1.5.4-1_amd64.buildinfo Files: be8378ae48acdce91b17ca02887caecb 2121 java optional libjettison-java_1.5.4-1.dsc 611aeecf3d277ed519392591cf63f202 72967 java optional libjettison-java_1.5.4.orig.tar.gz c3df2e1f31efe499f4d665c1a201403d 3064 java optional libjettison-java_1.5.4-1.debian.tar.xz d415a58fd3a1df5413a0a8c8da883526 14397 java optional libjettison-java_1.5.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmSGUV4UHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpY5qRAAxAxZplNxdUl/AvJjH5mL0lV1VwBC fDZ80Y9vvyZx3BYZliyTrR05IJx21qrKXf7PCCjiTeXwggMM8MdL0mMksgQUI5XB QNNBJpizPby+PRfQnnkdIQrWcPwFh+G0cwGGsHVn7b5BEcNV36p4xtltHYUDUCps yU8DSISo9IGsPW8/GBWadu4lfNUJMKinKvAl1oSMnN0j4gyC63NE/RUcW5eRTspU KYnj4u9nJORynpkgZ23qvlb8s4uzEuUYW/j+2rAGh1TFqRKjfL6JQGRlMkeNb+HQ iHvCwUL7MZmYhI51Xd0UGQWBClzmmCT5ltyJYqxGdIRJWb/D7WZnXKZjPS7+2KQk RsM5RhWjBJ9gLUIRPSl6xP8DCE2MbdxS2ARh3BRTnAvAQhOcY2zeqL6u6Sh7a/4b rt/tSmgZN1VsMBJgGLVangyT6/wnhK2syycB8Jkuaa35ZoNEHtSwvliJ9P4uxtih QLpKFFR1/8pk9N9PDtBA9YMiCvnMtpe5zz2LY5slosrrfl827o7rmtmO1tPx2dVR b+FI/iZRG5s+Lr0Mu3WUQ+5cJtFce5yUdERYM7Kwu3cXADt1ky7It4ZAetxNXLTr Yj8n2fdNqdX1yYKkFNDtolC2VgC2ADMyz9HtLcSKeXPtdAQ2BmKbJmXYE8cwiV3+ BZo4d7vOmdN619o= =0T2W -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
