Your message dated Tue, 02 May 2017 15:37:33 +0000 with message-id <[email protected]> and subject line Bug#861521: fixed in libxstream-java 1.4.9-2 has caused the Debian Bug report #861521, regarding libxstream-java: CVE-2017-7957 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: libxstream-java Version: 1.4.7-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for libxstream-java. CVE-2017-7957[0]: | XStream through 1.4.9, when a certain denyTypes workaround is not used, | mishandles attempts to create an instance of the primitive type 'void' | during unmarshalling, leading to a remote application crash, as | demonstrated by an xstream.fromXML("<void/>") call. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957 [1] https://x-stream.github.io/CVE-2017-7957.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libxstream-java Source-Version: 1.4.9-2 We believe that the bug you reported is fixed in the latest version of libxstream-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <[email protected]> (supplier of updated libxstream-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 02 May 2017 16:52:35 +0200 Source: libxstream-java Binary: libxstream-java Architecture: source Version: 1.4.9-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <[email protected]> Changed-By: Emmanuel Bourg <[email protected]> Description: libxstream-java - Java library to serialize objects to XML and back again Closes: 861521 Changes: libxstream-java (1.4.9-2) unstable; urgency=medium . * Fixed CVE-2017-7957: Attempts to create an instance of the primitive type 'void' during unmarshalling lead to a remote application crash. (Closes: #861521) Checksums-Sha1: 0ce974ed59cff6e25d0c1cb82009f52005d38e2f 2431 libxstream-java_1.4.9-2.dsc fd91078c6f20a50939ff914992bff99372ed1644 7296 libxstream-java_1.4.9-2.debian.tar.xz 856a710d96a25e89b0c77b7c2a3cbd3381610437 15564 libxstream-java_1.4.9-2_source.buildinfo Checksums-Sha256: c5b18692bc34456b0b8811f54c691472d584309ddd5a95bb78e8f07a08164c85 2431 libxstream-java_1.4.9-2.dsc 9424291371ec48fedcd5a1f9d640a9578c3233e9aa6338144e4fe2d30a87c0e5 7296 libxstream-java_1.4.9-2.debian.tar.xz c7e33ecb5b1bba414f8c1caf2cb2b1c0900d5e46c7743f209fbbaf37f518e26f 15564 libxstream-java_1.4.9-2_source.buildinfo Files: b0c3f3ae48096a83f69463d08a2f4542 2431 java optional libxstream-java_1.4.9-2.dsc 3979f2c314928f8374789e417a496fd3 7296 java optional libxstream-java_1.4.9-2.debian.tar.xz ce70e4223f2cc1fcc99a3e3c7642228b 15564 java optional libxstream-java_1.4.9-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlkIn6oSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsQzsP/iP52EybvHSndZPiBEvVWR/v7ajZDdgW QPYKEb1JRF9fixOQhJfNXbN9uBT94+5nh+cmJL21yt906FvdvnNOR7feR6YW91if Rv3pbQ1Mo0BhaHZ4DIe0TQMNyV+C2TMWIIh8h8WMBx7iVUrGuMnWMbEmPWOVhIJF xBMUXeKKATmy0uRZOADPKWuXPfODLFHISP9LUn4kGOznEKWhbrT3C39tnYpQOPFZ dPcSiE1IFiS7KKog4aWeODn5dU4Tt5dxaOBxSdIgth/rgWA2m/L70jbAYvvIGBnV UZmIA4l+tPw2FIVPxuLHsVmFZfm69MQHqZ23TEdq2TewDax4Ah83NbACjQEw9k9x f9nj7F4uYkfbvLHqQskcgOBXum/iGfcz5WdLVcbQlzv6rqLdx8HZIG4wSmduwYNh kOWo4KaFgKeqeZKuUw1q8dB6KG7Vv/hqFgMvTamTbeeqwb3OixvWlnPMRCHdy6SJ pam+tE2LU6Gy/kXn5qMOZ9qQFJDi7FoK26bQTvbhcnaaJIRfMsqVTaXiIJM6ivRA xrqAHvdrLARwoOISWCx5dfhpvhklPg+9Bu/nTsby9et/1IJqIt0IAGgWNoShazBY 2b1LntvTI1Vvm++uqSoqVf7fiDUrD0ZqF92w+zsPFti0KBLQfaNSKGHVQXne6sKS p0BWUqptpjHs =xBUM -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
