Your message dated Sat, 24 Jun 2017 21:18:27 +0000 with message-id <e1dosrn-0000ks...@fasolo.debian.org> and subject line Bug#864859: fixed in jython 2.5.3-3+deb8u1 has caused the Debian Bug report #864859, regarding jython: CVE-2016-4000: Unsafe deserialization leads to code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jython Version: 2.5.3-1 Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: http://bugs.jython.org/issue2454 Hi, the following vulnerability was published for jython. CVE-2016-4000[0]: Unsafe deserialization leads to code execution If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-4000 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000 [1] http://bugs.jython.org/issue2454 [2] https://hg.python.org/jython/rev/d06e29d100c0 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jython Source-Version: 2.5.3-3+deb8u1 We believe that the bug you reported is fixed in the latest version of jython, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 864...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jython package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Jun 2017 20:00:46 +0200 Source: jython Binary: jython jython-doc Architecture: source all Version: 2.5.3-3+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: jython - Python seamlessly integrated with Java jython-doc - Jython documentation including API docs Closes: 864859 Changes: jython (2.5.3-3+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2016-4000: (Closes: #864859) Unsafe deserialization may lead to arbitrary code execution. Checksums-Sha1: 4005e55e8d99f71940f14f0c51dc8df2efc8d0dd 2446 jython_2.5.3-3+deb8u1.dsc fb2329935da29375f6c58e80c361a22fef1ce694 5731140 jython_2.5.3.orig.tar.bz2 a6106611a19d6f324757fb976c41bc41337fade2 17596 jython_2.5.3-3+deb8u1.debian.tar.xz 18ce5190589356499a998adf875a8587a2414620 6907190 jython_2.5.3-3+deb8u1_all.deb fa7c89c99e7b94b958c91bab5b09a50beafab9cc 562942 jython-doc_2.5.3-3+deb8u1_all.deb Checksums-Sha256: 5191fd859007cd558a4b600918cd40440c5b5ae259ddf21ae21b65f58446e362 2446 jython_2.5.3-3+deb8u1.dsc f65ba40098f9312ed487219e64c4ea01fecad927411b1a72dc1d8cadf0ddc947 5731140 jython_2.5.3.orig.tar.bz2 68c7122d199e3a519af4fc9f3b1c8e29dac6bd3273811aa4e77a6136f3ca46eb 17596 jython_2.5.3-3+deb8u1.debian.tar.xz 076576f62ae93a87023ad6747e4b64a51493cbd83c32e17198786f255643e1b0 6907190 jython_2.5.3-3+deb8u1_all.deb 67cae1441b8920d64b8fd367574fe158e77c9bc7b6d8978da97640cbcb6d77d0 562942 jython-doc_2.5.3-3+deb8u1_all.deb Files: 49d2d2a7471f5885a28bc4b65b5651aa 2446 python optional jython_2.5.3-3+deb8u1.dsc 2e4210614f20aa3cbcef9031601679b7 5731140 python optional jython_2.5.3.orig.tar.bz2 73652c76868ae57b1c2dc6c5c6b916df 17596 python optional jython_2.5.3-3+deb8u1.debian.tar.xz 5fd2131a593cd812db4eb8b8e4708c8a 6907190 python optional jython_2.5.3-3+deb8u1_all.deb 39b58e3821690eeccb2fd7cc308265ed 562942 doc optional jython-doc_2.5.3-3+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllKtnRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk6iUP/jmih+vt+iwtlC3rlonw8flekw8++Ek3dpGL Gq50Kpw7hFs4IRGCuV7cTXrgYXfmNtJ0ZxvlC5ILCV4qgxVCfZ7QVttsi6GnKsCg QueDIaTmKikj+1qz5zke6B84mTVnVJCMQiP0jh2rB/KLl4UAB2DoILR4UTm5JmVb 4TcMq0unACkcvSxhmgIPpSw2azMGbVYon62h6ptmyZ6E19bLqVXDecGpo+DvKSdi igXQp9sBusfwp4Dv8kPdnnQ4MIipTRc48yNI+eP5H4AaRBpmLoC36TFJjQ9+vCRa 28X9v6nv3So3Ilwgqx4Sl7FdE4vCePss9aemkMlq0GcZFyzn45u4S757ztGOgSl8 3bj5HVFIFGdHeyJ0jsOS1lyLg8C6FlaSDnGRoJd0NBJOSfsnVQgm0X0wevwiHp9C 8l1NvOG96TEKE2vi5Br25K732xs79JAIcLXoBlHCxvNwqqLoxEtV8Ue4o8Vjrnlo BDkxa2gWlf7aZQ2a/TQ/JRVuLS8bbfp8d4jlQbPNrnyp8pVO1czT891oZav0hewD lLc3Fcl4XOgKFEeuwo2dWXdrX0CadM6ZOU+kWgkm7u7C+9Vt6YPRrbrVEQptvW/l AcxovcM0yZPXZVbXWRnJtIUEGVI8FD51LyfporNjx27v+Np5ghjcRJ4lyabT6VAg NLFtc1qm =cTNP -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
