Bug#632882: CVE-2011-2204
Package: tomcat6 Severity: grave Tags: security (Also applies to Tomcat 5.5 and Tomcat 6) Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204 This doesn't warrant a DSA, but could be fixed through a point update. Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#632882: CVE-2011-2204
On Wed, Jul 06, 2011 at 09:49:17PM -0700, tony mancill wrote: Hello Moritz, Thank you for filing the bug. I've uploaded an updated tomcat6 package for unstable and will get the patch applied for the next tomcat7 upload soon. I'll also look into an upload of 6.0.28 for stable proposed updates. Sounds good. What's the status of #608286 ? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#634992: CVE-2011-2526: Restriction bypass
Package: tomcat7 Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526 http://tomcat.apache.org/security-7.html The same applies to Tomcat 6 and Tomcat 5.5 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote: On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote: What's the result? Upstream is totally unresponsive about this issue. I have reviewed changelog of subsequent releases and this doesn't seem to be fixed. I have lost almost all motivation to try to fix this, but I'll give another try to check again with upstream to see what they have to say. This reminded me of http://pwnies.com/archive/2010/winners/: -- Pwnie for Best Server-Side Bug (..) Credit: Meder Kydyraliev (..) Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from secur...@struts.apache.org. -- Maybe you should try IRC as well... Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#645881: critical update 29 available
On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote: Hi Philipp, Am 19.10.2011 16:33, schrieb Philipp Kern: Or it's the removal of the package. we should remove sun-java5 from oldstable, too, if we are going to remove sun-java6 from (old)stable. But I do not have a strong opinion on that. In any case we should go ahead with the removal from unstable ASAP. As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#582146: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so: browser plugin reporting of system fonts is a privacy leak
severity 582146 important thanks On Tue, May 18, 2010 at 07:06:31PM +0200, Thiemo Nagel wrote: Package: sun-java6-bin Version: 6.20-dlj-1 Severity: grave File: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so Tags: security Justification: user security hole Reporting of system fonts by browser plugins may lead to total loss of anonymity, especially when an uncommon combination of fonts has been installed, as demonstrated by the EFF: http://panopticlick.eff.org/ See also: http://browserspy.dk/fonts-java.php I've set severity grave because information leaks are considered security issues if I'm not mistaken, and also because it's not only a theoretical vulnerability, as demonstrations for exploits do exist. While this is a privacy issue, it doesn't qualify as a RC security bug. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#587447: CVE-2010-1157
Package: tomcat6 Severity: important Tags: security Dear Tomcat maintainers, AFAICS CVE-2010-1157 is still unfixed in sid: http://tomcat.apache.org/security-6.html We don't need to update Lenny, since the security impact is marginal. If you want to have it fixed in stable, you can still fix it through a point update. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#588813: CVE-2010-2227: DoS and information disclosure
Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28 Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227 Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header. This was fixed in revision 958977. Cheers, Moritz -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18 (SMP w/1 CPU core) Locale: lang=de_de.ut...@euro, lc_ctype=de_de.ut...@euro (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#572982: azureus: Multiple license issues.
On Thu, Jun 03, 2010 at 01:36:37PM -0400, Pablo Duboue wrote: At debian-java we're pretty happy with the exception and we didn't feel the need to run it through -legal. I haven't had time to make an upload with the exception documented in the debian/ folder so the bug it is still open (but the packaged didn't get removed, which is the important part :-) You should really do this now, the Squeeze release is close and this bug has been w/o action for quite some time! Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#600259: sun-java6: Multiple security issues
Package: sun-java6 Severity: grave Tags: security Justification: user security hole Oracle has fixed several Java security issues, which also need to be fixed in sid: http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html Cheers, Moritz -- System Information: Debian Release: 5.0.1 Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.32-ucs16-amd64 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#606388: CVE-2010-4172: XSS issues
Package: tomcat6 Severity: grave Tags: security Please see http://tomcat.apache.org/security-6.html. Please upload an isolated fix with urgency=medium and ask RMs for an unblock. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote: FYI, we applied patches for that Apache upstream SVN revision as part of CVE-2010-4172. I reviewed the patch posted here [0], and we already have all of it except for this bit. CVE-2010-4172 is fully fixed. MITRE later on assigned CVE-2010-4312 to this section from the original advisory: Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker. httpOnly has been made the default in Tomcat 7, so this ID is essentially about an insecure default setting. For Tomcat 6 I don't esee the need to change the default (which might even break applications). Instead such settings should be taken into account when setting up a Tomcat site. For Squeeze you add a README.Debian or such pointing to the option and the recommendation to use the option? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
Package: mojarra Severity: grave Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611138: CVE-2010-4438
Package: glassfish Severity: grave Tags: security See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 Please get in touch with Oracle to check, what unspecified vulnerability they fixed... Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611849: CVE-2010-4647/CVE-2008-7271: XSS in help browser application
Package: eclipse Severity: important Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7271 Red Hat has a good description and links to patches: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4647 This doesn't warrant a DSA, but you could fix this in Squeeze in a point update. Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#612257: Three Tomcat vulnerabilities
Package: tomcat6 Version: Three Tomcat vulnerabilities Severity: grave Tags: security CVE-2011-0534, CVE-2011-0013 and CVE-2010-3718 need to be fixed in squeeze-security and unstable: http://tomcat.apache.org/security-6.html Cheers, Moritz -- System Information: Debian Release: 5.0.1 Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.32-ucs35-amd64 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#581226: Multiple security issues
Package: jbossas4 Severity: grave Tags: security The following security issues have been reported against jbossas4: CVE-2010-0738: The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. https://bugzilla.redhat.com/show_bug.cgi?id=574105 CVE-2010-1428: The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. https://bugzilla.redhat.com/show_bug.cgi?id=585899 CVE-2010-1429: Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about deployed web contexts via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression. https://bugzilla.redhat.com/show_bug.cgi?id=585900 I've noticed the following in README.Debian: | jbossas4 is currently in a very alpha stage of packaging. I can be used | to build other libraries depending on JBoss like libhibernate3-java but | it is not complete and cannot be used as an application server yet. Does this mean these issue don't affect jbossas4 as packaged in Debian? If so we should limit the scope of security support for Squeeze. Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#653964: glassfish predictable hash collisions
On Mon, Jan 02, 2012 at 09:56:20AM +0100, Torsten Werner wrote: Hi, On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst th...@debian.org wrote: It was reported that Glassfish is affected by the predictable hash collisions attack that made its rounds around the net this week. This is tracked at http://security-tracker.debian.org/tracker/CVE-2011-5035 I do not think that we are vulnerable because Debian does not ship a full glassfish stack. We build some core libs only. Can you ensure that fixed packages are uploaded to sid as soon as possible, and assert whether a fix for lenny and squeeze would be necessary? I do not even understand how to reproduce the issue. May you elaborate on that, please? The advisory can be found here: http://www.nruns.com/_downloads/advisory28122011.pdf I'm not sure where to find Oracle security ticket S0104869, though. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Tomcat for Squeeze
Dear Java maintainers, currently there's Tomcat 6 and Tomcat 7 in Wheezy. Will 6 be dropped before the Wheezy relese? It would be good to only have one version in Wheezy. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#655495: CVE-2011-4605: DoS
Source: activemq Severity: grave Tags: security This is CVE-2011-4605 Please see here for details and patches: http://openwall.com/lists/oss-security/2011/12/25/2 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#656876: Please enabled hardened build flags
Source: libapache-mod-jk Severity: important Please enabled hardened build flags through dpkg-buildflags. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#657870: Multiple issues in Struts
Package: libstruts1.2-java Severity: grave Tags: security Hi, several vulnerabilities have been reported against Struts: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 The version is Debian seems ancient and unmaintained, can you please check, whether an update is needed? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#660653: FTBFS
Package: akuma Version: 1.7-1 Severity: serious akuma fails to build from source: dh_installpam -plibakuma-java dh_installlogrotate -plibakuma-java dh_installlogcheck -plibakuma-java dh_installchangelogs -plibakuma-java dh_installudev -plibakuma-java dh_lintian -plibakuma-java dh_bugfiles -plibakuma-java dh_install -plibakuma-java dh_link -plibakuma-java dh_buildinfo -plibakuma-java dh_installmime -plibakuma-java dh_installgsettings -plibakuma-java jh_installlibs -plibakuma-java jh_classpath -plibakuma-java IO error: opening debian/libakuma-java/debian/libakuma-java/usr/share/java/akuma.jar for read : No such file or directory at /usr/share/perl5/Archive/Zip/Archive.pm line 546 Archive::Zip::Archive::read('Archive::Zip::Archive=HASH(0x1ec4940)', 'debian/libakuma-java/debian/libakuma-java/usr/share/java/akum...') called at /usr/bin/jh_manifest line 295 main::update_jar('debian/libakuma-java/debian/libakuma-java/usr/share/java/akum...', undef) called at /usr/bin/jh_manifest line 142 jh_manifest: Could not read debian/libakuma-java/debian/libakuma-java/usr/share/java/akuma.jar: No such file or directory make: *** [binary-post-install/libakuma-java] Error 1 dpkg-buildpackage: error: debian/rules binary gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#661450: FTBFS
Package: ehcache Version: 2.1.0-1 Severity: serious debian/rules build test -x debian/rules mkdir -p . cd . /usr/lib/jvm/default-java//bin/java -classpath /usr/share/ant/lib/ant.jar:/usr/share/ant/lib/ant-launcher.jar:/usr/share/java/commons-logging.jar:/usr/share/java/servlet-api-2.5.jar:/usr/share/java/backport-util-concurrent.jar:/usr/share/java/slf4j-api.jar:/usr/share/java/geronimo-jta-1.0.1b-spec.jar:/usr/share/java/btm.jar:/usr/share/java/jsr107cache.jar:/usr/share/java/hibernate3.jar:/usr/share/java/commons-collections3.jar:/usr/lib/jvm/default-java//lib/tools.jar -Dant.home=/usr/share/ant org.apache.tools.ant.Main -Dcompile.debug=true -Dcompile.optimize=true -buildfile debian/build.xml jar Buildfile: /home/jmm/ehcache-2.1.0/debian/build.xml init: [mkdir] Created dir: /home/jmm/ehcache-2.1.0/target/classes compile: [javac] /home/jmm/ehcache-2.1.0/debian/build.xml:17: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 290 source files to /home/jmm/ehcache-2.1.0/target/classes [javac] EhCacheXAResourceProducer.java:122: cannot find symbol [javac] symbol : method setXAResourceHolderState(bitronix.tm.internal.XAResourceHolderState) [javac] location: class net.sf.ehcache.transaction.manager.btm.EhCacheXAResourceHolder [javac] xaResourceHolder.setXAResourceHolderState(xaResourceHolderState); [javac] ^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 1 error BUILD FAILED /home/jmm/ehcache-2.1.0/debian/build.xml:17: Compile failed; see the compiler error output for details. Total time: 12 seconds make: *** [debian/stamp-ant-build] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#661691: FTBFS
Package: jenkins-crypto-util Version: 1.1-1 Severity: serious Your package fails to build from source: [INFO] Compiling 2 source files to /home/jmm/jenkins-crypto-util-1.1/target/classes [INFO] [resources:testResources {execution: default-testResources}] [WARNING] Using platform encoding (ANSI_X3.4-1968 actually) to copy filtered resources, i.e. build is platform dependent! [INFO] Copying 3 resources [INFO] [compiler:testCompile {execution: default-testCompile}] [INFO] Compiling 1 source file to /home/jmm/jenkins-crypto-util-1.1/target/test-classes [INFO] [surefire:test {execution: default-test}] [INFO] Surefire report directory: /home/jmm/jenkins-crypto-util-1.1/target/surefire-reports --- T E S T S --- Running org.jvnet.hudson.crypto.PKIXTest Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.766 sec FAILURE! Results : Tests in error: testPathValidation(org.jvnet.hudson.crypto.PKIXTest): timestamp check failed Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 [INFO] [ERROR] BUILD FAILURE [INFO] [INFO] There are test failures. Please refer to /home/jmm/jenkins-crypto-util-1.1/target/surefire-reports for the individual test results. [INFO] [INFO] For more information, run Maven with the -e switch [INFO] [INFO] Total time: 8 seconds [INFO] Finished at: Wed Feb 29 12:04:35 CET 2012 [INFO] Final Memory: 12M/30M [INFO] make: *** [mvn-build] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#661694: FTBFS
Package: jbossas4 Version: 4.2.3.GA-6 Severity: serious Your package fails to build from source: [mkdir] Created dir: /home/jmm/jbossas4-4.2.3.GA/ejb3/classes [javac] /home/jmm/jbossas4-4.2.3.GA/debian/build.xml:340: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 446 source files to /home/jmm/jbossas4-4.2.3.GA/ejb3/classes [javac] ContainerPlugin.java:34: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac] ^ [javac] ContainerPlugin.java:34: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac] ^ [javac] ContainerPlugin.java:34: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac]^ [javac] EJBProxyFactory.java:48: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac] ^ [javac] EJBProxyFactory.java:48: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac] ^ [javac] EJBProxyFactory.java:48: warning: unmappable character for encoding ASCII [javac] * @author a href=mailto:rickard.ob...@telkel.com;Rickard ???berg/a [javac]^ [javac] TreeCacheProviderHook.java:52: cannot find symbol [javac] symbol : class TreeCacheProvider [javac] location: package org.hibernate.cache [javac]extends org.hibernate.cache.TreeCacheProvider [javac] ^ [javac] TreeCacheProviderHook.java:68: cannot find symbol [javac] symbol : method getClass() [javac] location: class org.jboss.ejb3.entity.TreeCacheProviderHook [javac]protected Logger log = Logger.getLogger(getClass()); [javac]^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 2 errors [javac] 6 warnings BUILD FAILED /home/jmm/jbossas4-4.2.3.GA/debian/build.xml:340: Compile failed; see the compiler error output for details. Total time: 58 seconds make: *** [debian/stamp-ant-build] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#661715: FTBFS
Package: jcaptcha Version: 2.0~alpha1-2 Severity: serious Your package fails to build from source: dh_installlogrotate -plibjcaptcha-java dh_installlogcheck -plibjcaptcha-java dh_installchangelogs -plibjcaptcha-java dh_installudev -plibjcaptcha-java dh_lintian -plibjcaptcha-java dh_bugfiles -plibjcaptcha-java dh_install -plibjcaptcha-java dh_link -plibjcaptcha-java dh_buildinfo -plibjcaptcha-java dh_installmime -plibjcaptcha-java dh_installgsettings -plibjcaptcha-java jh_installlibs -plibjcaptcha-java jh_classpath -plibjcaptcha-java IO error: opening debian/libjcaptcha-java/debian/libjcaptcha-java/usr/share/java/jcaptcha-integration-simple-servlet.jar for read : Datei oder Verzeichnis nicht gefunden at /usr/share/perl5/Archive/Zip/Archive.pm line 546 Archive::Zip::Archive::read('Archive::Zip::Archive=HASH(0x20e9080)', 'debian/libjcaptcha-java/debian/libjcaptcha-java/usr/share/jav...') called at /usr/bin/jh_manifest line 295 main::update_jar('debian/libjcaptcha-java/debian/libjcaptcha-java/usr/share/jav...', undef) called at /usr/bin/jh_manifest line 142 jh_manifest: Could not read debian/libjcaptcha-java/debian/libjcaptcha-java/usr/share/java/jcaptcha-integration-simple-servlet.jar: Datei oder Verzeichnis nicht gefunden make: *** [binary-post-install/libjcaptcha-java] Fehler 1 dpkg-buildpackage: Fehler: Fehler-Exitstatus von fakeroot debian/rules binary war 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#662807: junit4: FTBFS
Package: junit4 Version: 4.8.2-2 Severity: serious Your package fails to build from source: compile: [mkdir] Created dir: /home/jmm/junit4-4.8.2/build/generated-sources [javac] /usr/share/maven-ant-helper/maven-build.xml:337: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 154 source files to /home/jmm/junit4-4.8.2/build/classes [javac] CombinableMatcher.java:27: invalid inferred types for T; actual arguments do not conforms to inferred formal arguments [javac] required: org.hamcrest.Matcher? super java.lang.Object[] [javac] found: org.hamcrest.Matchercapture#428 of ? extends T,org.hamcrest.Matchercapture#896 of ? extends T [javac] return new CombinableMatcherT(allOf(matcher, fMatcher)); [javac] ^ [javac] CombinableMatcher.java:32: invalid inferred types for T; actual arguments do not conforms to inferred formal arguments [javac] required: org.hamcrest.Matcher? super java.lang.Object[] [javac] found: org.hamcrest.Matchercapture#304 of ? extends T,org.hamcrest.Matchercapture#323 of ? extends T [javac] return new CombinableMatcherT(anyOf(matcher, fMatcher)); [javac] ^ [javac] IsCollectionContaining.java:44: incompatible types [javac] found : org.hamcrest.Matcherjava.lang.Iterablejava.lang.Object [javac] required: org.hamcrest.Matcherjava.lang.IterableT [javac] return hasItem(equalTo(element)); [javac] ^ [javac] IsCollectionContaining.java:54: cannot find symbol [javac] symbol : method allOf(java.util.Collectionorg.hamcrest.Matcher? extends java.lang.IterableT) [javac] location: class org.junit.internal.matchers.IsCollectionContainingT [javac] return allOf(all); [javac]^ [javac] IsCollectionContaining.java:64: cannot find symbol [javac] symbol : method allOf(java.util.Collectionorg.hamcrest.Matcher? extends java.lang.IterableT) [javac] location: class org.junit.internal.matchers.IsCollectionContainingT [javac] return allOf(all); [javac]^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] 5 errors BUILD FAILED /usr/share/maven-ant-helper/maven-build.xml:337: Compile failed; see the compiler error output for details. Total time: 7 seconds make: *** [debian/stamp-ant-build] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#662811: jmock2: FTBFS
Package: jmock2 Version: 2.5.1+dfsg-1 Severity: serious Your package fails to build from source: compile: [mkdir] Created dir: /home/jmm/jmock2-2.5.1+dfsg/build/classes [javac] /home/jmm/jmock2-2.5.1+dfsg/build.xml:61: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 175 source files to /home/jmm/jmock2-2.5.1+dfsg/build/classes [javac] Money.java:30: warning: unmappable character for encoding ASCII [javac] return ?? + amount; [javac] ^ [javac] Money.java:30: warning: unmappable character for encoding ASCII [javac] return ?? + amount; [javac] ^ [javac] HamcrestTypeSafetyAcceptanceTests.java:3: cannot find symbol [javac] symbol : class OrderingComparisons [javac] location: package org.hamcrest.number [javac] import static org.hamcrest.number.OrderingComparisons.greaterThan; [javac] ^ [javac] HamcrestTypeSafetyAcceptanceTests.java:3: static import only from classes and interfaces [javac] import static org.hamcrest.number.OrderingComparisons.greaterThan; [javac] ^ [javac] HamcrestTypeSafetyAcceptanceTests.java:4: cannot find symbol [javac] symbol : class StringStartsWith [javac] location: package org.hamcrest.text [javac] import static org.hamcrest.text.StringStartsWith.startsWith; [javac]^ [javac] HamcrestTypeSafetyAcceptanceTests.java:4: static import only from classes and interfaces [javac] import static org.hamcrest.text.StringStartsWith.startsWith; [javac] ^ [javac] Expectations.java:187: incompatible types [javac] found : capture#417 of ? super java.lang.Boolean [javac] required: boolean [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:191: incompatible types [javac] found : capture#174 of ? super java.lang.Byte [javac] required: byte [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:195: incompatible types [javac] found : capture#436 of ? super java.lang.Short [javac] required: short [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:199: incompatible types [javac] found : capture#151 of ? super java.lang.Character [javac] required: char [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:203: incompatible types [javac] found : capture#17 of ? super java.lang.Integer [javac] required: int [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:207: incompatible types [javac] found : capture#395 of ? super java.lang.Long [javac] required: long [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:211: incompatible types [javac] found : capture#740 of ? super java.lang.Float [javac] required: float [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:215: incompatible types [javac] found : capture#78 of ? super java.lang.Double [javac] required: double [javac] return with(equalTo(value)); [javac]^ [javac] Expectations.java:219: incompatible types [javac] found : capture#875 of ? super T [javac] required: T [javac] return with(equalTo(value)); [javac]^ [javac] HamcrestTypeSafetyAcceptanceTests.java:26: cannot find symbol [javac] symbol: method startsWith(java.lang.String) [javac] exactly(1).of (anything()).method(withName(m)).with(startsWith(x)); [javac] ^ [javac] HamcrestTypeSafetyAcceptanceTests.java:27: cannot find symbol [javac] symbol: method greaterThan(int) [javac] exactly(1).of (anything()).method(withName(m)).with(greaterThan(0)); [javac] ^ [javac] InvocationExpectationTests.java:75: setParametersMatcher(org.hamcrest.Matcherjava.lang.Object[]) in org.jmock.internal.InvocationExpectation cannot be applied to (org.hamcrest.Matchercapture#843 of ? super java.lang.Object[]) [javac] expectation.setParametersMatcher(equalTo(args)); [javac]^ [javac] Note: JMock.java uses or overrides a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] 17 errors [javac] 2 warnings BUILD FAILED /home/jmm/jmock2-2.5.1+dfsg/build.xml:61: Compile failed; see the compiler error output for details. Total time: 7 seconds make: *** [debian/stamp-ant-build]
Bug#663106: libcommons-discovery-java: FTBFS: No jar in libcommons-discovery-java matching usr/share/java/commons-discovery.jar.
Package: libcommons-discovery-java Version: 0.5-2 Severity: serious Your package fails to build from source: [INFO] BUILD SUCCESSFUL [INFO] [INFO] Total time: 2 seconds [INFO] Finished at: Wed Mar 07 12:08:03 CET 2012 [INFO] Final Memory: 4M/10M [INFO] cp debian/libcommons-discovery-java.substvars debian/libcommons-discovery-java-doc.substvars # cleanup generated docs rm -f -f target/apidocs/*.sh target/apidocs/options Adding cdbs dependencies to debian/libcommons-discovery-java.substvars dh_installdirs -plibcommons-discovery-java jh_installjavadoc -plibcommons-discovery-java Adding cdbs dependencies to debian/libcommons-discovery-java-doc.substvars dh_installdirs -plibcommons-discovery-java-doc jh_installjavadoc -plibcommons-discovery-java-doc dh_installdocs -plibcommons-discovery-java ./TODO dh_installexamples -plibcommons-discovery-java dh_installman -plibcommons-discovery-java dh_installinfo -plibcommons-discovery-java dh_installmenu -plibcommons-discovery-java dh_installcron -plibcommons-discovery-java dh_installinit -plibcommons-discovery-java dh_installdebconf -plibcommons-discovery-java dh_installemacsen -plibcommons-discovery-java dh_installcatalogs -plibcommons-discovery-java dh_installpam -plibcommons-discovery-java dh_installlogrotate -plibcommons-discovery-java dh_installlogcheck -plibcommons-discovery-java dh_installchangelogs -plibcommons-discovery-java dh_installudev -plibcommons-discovery-java dh_lintian -plibcommons-discovery-java dh_bugfiles -plibcommons-discovery-java dh_install -plibcommons-discovery-java dh_link -plibcommons-discovery-java dh_buildinfo -plibcommons-discovery-java dh_installmime -plibcommons-discovery-java dh_installgsettings -plibcommons-discovery-java jh_installlibs -plibcommons-discovery-java jh_classpath -plibcommons-discovery-java jh_manifest -plibcommons-discovery-java jh_manifest: No jar in libcommons-discovery-java matching usr/share/java/commons-discovery.jar. make: *** [binary-post-install/libcommons-discovery-java] Error 1 dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#663548: stapler: FTBFS: IO error: opening debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar for read : No such file or directory
Package: stapler Version: 1.174-1 Severity: serious Your package fails to build from source: dh_bugfiles -plibstapler-java dh_install -plibstapler-java dh_link -plibstapler-java dh_buildinfo -plibstapler-java dh_installmime -plibstapler-java dh_installgsettings -plibstapler-java jh_installlibs -plibstapler-java jh_classpath -plibstapler-java IO error: opening debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar for read : No such file or directory at /usr/share/perl5/Archive/Zip/Archive.pm line 546 Archive::Zip::Archive::read('Archive::Zip::Archive=HASH(0xad8fd0)', 'debian/libstapler-java/debian/libstapler-java//usr/share/java...') called at /usr/bin/jh_manifest line 295 main::update_jar('debian/libstapler-java/debian/libstapler-java//usr/share/java...', undef) called at /usr/bin/jh_manifest line 142 jh_manifest: Could not read debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar: No such file or directory make: *** [binary-post-install/libstapler-java] Error 1 dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#663569: libspring-webflow-2.0-java: FTBFS: libspring-webflow-2.0-java-2.0.9.RELEASE/debian/build.xml:46: Compile failed; see the compiler error output for details.
Package: libspring-webflow-2.0-java Version: 2.0.9.RELEASE-3 Severity: serious Your package fails to build from source: jar-spring-js: [jar] Building jar: /home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/dist/spring-js-2.0.9.RELEASE.jar compile-spring-webflow: [javac] Compiling 311 source files to /home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/build [javac] WebFlowUpgrader.java:34: warning: com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory is internal proprietary API and may be removed in a future release [javac] import com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory; [javac] ^ [javac] ConversationScope.java:25: org.springframework.webflow.scope.ConversationScope is not abstract and does not override abstract method resolveContextualObject(java.lang.String) in org.springframework.beans.factory.config.Scope [javac] public class ConversationScope extends AbstractWebFlowScope { [javac]^ [javac] FlashScope.java:25: org.springframework.webflow.scope.FlashScope is not abstract and does not override abstract method resolveContextualObject(java.lang.String) in org.springframework.beans.factory.config.Scope [javac] public class FlashScope extends AbstractWebFlowScope { [javac]^ [javac] FlowScope.java:25: org.springframework.webflow.scope.FlowScope is not abstract and does not override abstract method resolveContextualObject(java.lang.String) in org.springframework.beans.factory.config.Scope [javac] public class FlowScope extends AbstractWebFlowScope { [javac]^ [javac] RequestScope.java:25: org.springframework.webflow.scope.RequestScope is not abstract and does not override abstract method resolveContextualObject(java.lang.String) in org.springframework.beans.factory.config.Scope [javac] public class RequestScope extends AbstractWebFlowScope { [javac]^ [javac] ViewScope.java:25: org.springframework.webflow.scope.ViewScope is not abstract and does not override abstract method resolveContextualObject(java.lang.String) in org.springframework.beans.factory.config.Scope [javac] public class ViewScope extends AbstractWebFlowScope { [javac]^ [javac] WebFlowUpgrader.java:87: warning: com.sun.org.apache.xml.internal.serializer.OutputPropertiesFactory is internal proprietary API and may be removed in a future release [javac] transformer.setOutputProperty(OutputPropertiesFactory.S_KEY_INDENT_AMOUNT, 4); [javac] ^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] 5 errors [javac] 2 warnings BUILD FAILED /home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/debian/build.xml:46: Compile failed; see the compiler error output for details. Total time: 16 seconds make[1]: *** [override_dh_auto_install] Error 1 make[1]: Leaving directory `/home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE' make: *** [binary] Error 2 dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#667000: Rebuilding objenesis from source makes mockito FTBFS
Package: objenesis Version: 1.2+full-1 Severity: serious I'm filing this against objenesis, since this appears to be where the error is coming from. mockito builds fine if I use the pre-built deb from the archive. However, when recompiling objenesis in sid and installing the resulting binaries, mockito no longer builds correctly: jh_build mockito-core-1.9.0.jar org/ find org/ -name *.java -and -type f -print0 | xargs -0 /usr/lib/jvm/default-java/bin/javac -cp /usr/share/java/objenesis.jar:/usr/share/java/cglib.jar:/usr/share/java/hamcrest-core.jar:/usr/share/java/asm3.jar:/usr/share/java/junit4.jar:debian/_jh_build.mockito-core-1.9.0 -d debian/_jh_build.mockito-core-1.9.0 -source 1.5 ClonesArguments.java:11: package org.objenesis does not exist import org.objenesis.ObjenesisHelper; ^ ThrowsExceptionClass.java:11: package org.objenesis does not exist import org.objenesis.ObjenesisHelper; ^ ClassImposterizer.java:14: package org.objenesis does not exist import org.objenesis.ObjenesisStd; ^ ClassImposterizer.java:28: cannot find symbol symbol : class ObjenesisStd location: class org.mockito.internal.creation.jmock.ClassImposterizer private ObjenesisStd objenesis = new ObjenesisStd(); ^ ClonesArguments.java:20: cannot find symbol symbol : variable ObjenesisHelper location: class org.mockito.internal.stubbing.answers.ClonesArguments Object newInstance = ObjenesisHelper.newInstance(from.getClass()); ^ ThrowsExceptionClass.java:27: cannot find symbol symbol : variable ObjenesisHelper location: class org.mockito.internal.stubbing.answers.ThrowsExceptionClass Throwable throwable = (Throwable) ObjenesisHelper.newInstance(throwableClass); ^ ClassImposterizer.java:28: cannot find symbol symbol : class ObjenesisStd location: class org.mockito.internal.creation.jmock.ClassImposterizer private ObjenesisStd objenesis = new ObjenesisStd(); ^ Note: Some input files use or override a deprecated API. Note: Recompile with -Xlint:deprecation for details. Note: Some input files use unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. 7 errors make[1]: *** [override_jh_build] Error 123 make[1]: Leaving directory `/home/jmm/mockito-1.9.0+ds1' make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Diffing the file lists between the version in the archive and the rebuilt version shows that these files are missing after the rebuild: /usr/share/java/objenesis-1.2.jar /usr/share/java/objenesis.jar Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#667016: Rebuilding jtidy in sid makes lucene FTBFS
Package: jtidy Version: 7+svn20110807-3 Severity: serious This is a similar bug to 667000 and 667011: Rebuilding jtidy in sid makes lucene2 fail to build from source: [..] common.compile-core: [mkdir] Created dir: /var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/build/contrib/ant/classes/java [javac] /var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/common-build.xml:567: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Compiling 7 source files to /var/build/temp/tmp.DuYQiVFkxa/3.2-0-0/lucene2/lucene2-2.9.4+ds1/build/contrib/ant/classes/java [javac] HtmlDocument.java:25: package org.w3c.tidy does not exist [javac] import org.w3c.tidy.Tidy; [javac]^ [javac] HtmlDocument.java:60: cannot find symbol [javac] symbol : class Tidy [javac] location: class org.apache.lucene.ant.HtmlDocument [javac] Tidy tidy = new Tidy(); [javac] ^ [javac] HtmlDocument.java:60: cannot find symbol [javac] symbol : class Tidy [javac] location: class org.apache.lucene.ant.HtmlDocument [javac] Tidy tidy = new Tidy(); [javac] ^ [javac] HtmlDocument.java:82: cannot find symbol [javac] symbol : class Tidy [javac] location: class org.apache.lucene.ant.HtmlDocument [javac] Tidy tidy = new Tidy(); [javac] ^ [javac] HtmlDocument.java:82: cannot find symbol [javac] symbol : class Tidy [javac] location: class org.apache.lucene.ant.HtmlDocument [javac] Tidy tidy = new Tidy(); [javac] ^ [javac] HtmlDocument.java:99: cannot find symbol [javac] symbol : class Tidy [javac] location: class org.apache.lucene.ant.HtmlDocument [javac] Tidy tidy = new Tidy(); [javac] ^ [..] Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#667601: Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS
Package: commons-beanutils Version: 1.8.3-2 Severity: serious Tags: patch Similar story to 667000, 667011 and 667016 (caused by new Maven helper): Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS. Patch attached. Cheers, Moritz UCS Bug #26186 diff -aur commons-beanutils-1.8.3.orig/debian/libcommons-beanutils-java.poms commons-beanutils-1.8.3/debian/libcommons-beanutils-java.poms --- commons-beanutils-1.8.3.orig/debian/libcommons-beanutils-java.poms 2011-09-22 23:34:25.0 +0200 +++ commons-beanutils-1.8.3/debian/libcommons-beanutils-java.poms 2012-03-20 22:03:56.0 +0100 @@ -23,4 +23,5 @@ # --ignore-pom: don't install the POM with mh_install or mh_installpoms. To use with POM files that are created # temporarily for certain artifacts such as Javadoc jars. # -pom.xml --no-parent --has-package-version +pom.xml --no-parent --has-package-version --java-lib + Nur in commons-beanutils-1.8.3/debian: libcommons-beanutils-java.poms~. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#657870: Multiple issues in Struts
There was another report for a Struts security issue: CVE-2012-1592: http://seclists.org/bugtraq/2012/Mar/110 Can you please contact upstream, whether this needs to be fixed in our Struts 1.2? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#670901: Spring: Multiple security issues
Package: libspring-security-2.0-java Severity: grave Tags: security Please see http://www.securityfocus.com/archive/1/519593/30/0/threaded http://www.springsource.com/security/cve-2011-2731 http://www.springsource.com/security/cve-2011-2732 http://www.springsource.com/security/cve-2011-2894 CVE-2011-2894 seems to affect libspring-java? If so, please clone or reassign as needed. CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or reassign as needed. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#267040: gcjwebplugin runs untrusted code without sandbox
On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote: gcjwebplugin is a Java plugin for web browsers. It does not include the security manager which is a crucial part of the sandboxing of Java applets. The maintainers have fixed this bug (#267040) merely by adding a warning prompt before running applets, which is well known to be an insufficient means of protecting users from malware. Please do not include it in lenny. (Unfortunately it is built from the classpath source package, so that will have to be modified to remove it.) I had discussed this with Michael Koch some time ago; the version in Lenny implements a security manager, but it's not yet clear whether it's fully appropriate. We didn't reach a final conclusion, but I guess the warning is sufficient for Lenny. Cheers, Moritz ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#501059: jetty: Should likely not be shipped with Lenny
Package: jetty Severity: serious When browsing through open security issues in Lenny I noticed that several Jetty security fixes have been unfixed for quite some time (#454529), although upstream has posted a patch in July. Since it's only in contrib, outdated (current upstream releases are 6 and 7), fairly unmaintained (last upload a year ago, unfixed security issue) and with hardly any users (only three in popcon) we should probably remove it from Lenny. (It should be noted that due to Jetty being in contrib it's not covered by security support, so it doesn't impose additional security maintenance overhead if left in Lenny). Cheers, Moritz -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#267040: gcjwebplugin runs untrusted code without sandbox
Moritz Muehlenhoff wrote: On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote: gcjwebplugin is a Java plugin for web browsers. It does not include the security manager which is a crucial part of the sandboxing of Java applets. The maintainers have fixed this bug (#267040) merely by adding a warning prompt before running applets, which is well known to be an insufficient means of protecting users from malware. Please do not include it in lenny. (Unfortunately it is built from the classpath source package, so that will have to be modified to remove it.) I had discussed this with Michael Koch some time ago; the version in Lenny implements a security manager, but it's not yet clear whether it's fully appropriate. We didn't reach a final conclusion, but I guess the warning is sufficient for Lenny. I haven't heard back from Michael and I believe we should err on the safe side and not lure users into a false sense of security. Since we now have icedtea-gcjwebplugin in Lenny, we have a web plugin based on OpenJDK and should drop the gcjwebplugin binary package from Lenny. Cheers, Moritz ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#503788: libcobra-java: java bytecode / java runtime version mismatch
On Tue, Oct 28, 2008 at 09:26:28AM +0100, Matthias Klose wrote: Package: libcobra-java Version: 0.98.2-1 Severity: serious User: [EMAIL PROTECTED] Usertags: jbc-mismatch Note: this report may be a false positive, if all bytecode files have version 49 or less. I've tested cobra-0.98.2.jar with your script and in fact is version 50. Cheers, Moritz ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#503799: libhamcrest-java: java bytecode / java runtime version mismatch
On Tue, Oct 28, 2008 at 09:26:31AM +0100, Matthias Klose wrote: Package: libhamcrest-java Version: 1.1-1 Severity: serious User: [EMAIL PROTECTED] Usertags: jbc-mismatch Note: this report may be a false positive, if all bytecode files have version 49 or less. I've checked the included Jars; they're all version 50. Cheers, Moritz ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#674448: CVE-2012-2098
Package: libcommons-compress-java Version: 1.2-1 Severity: grave Tags: security Please see https://commons.apache.org/compress/security.html Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix it through a point update for Squeeze 6.0.6. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#677194: CVE-2012-2672
Package: mojarra Severity: grave Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2672 I'm not sure if Debian is affected, please verify. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#686867: jruby: CVE-2011-4838
Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 http://www.nruns.com/_downloads/advisory28122011.pdf Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#686867: jruby: CVE-2011-4838
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote: On 09/20/2012 07:05 AM, Hideki Yamane wrote: It's my mistake that using static version for symlink... sorry for the mess. And a bit confusion for versioning, so prepared fix as below. If it seems to be okay, I'll upload to unstable. Hello Hideki, Thank you for the quick response. The 2nd patch you supplied looks good to me. Also, I determined that I can build the jruby package successfully against the nailgun package in wheezy, which I think might be preferable anyway since this is a security bug that is being targeted for wheezy (right?). The dependency on nailgun is a build-dep only, meaning that it doesn't appear in the jruby Depends, and jruby is an architecture any package. Moritz, for this bug with respect to wheezy, would you prefer that an updated package be uploaded to unstable + an unblock request, or would this be a case for targeting testing-security? testing-security doesn't work currently (only testing-proposed-updates works), so getting this via unstable (urgency=medium) and an unblock request is the way to go forward. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#688298: jenkins: Multiple security issues
Package: jenkins Severity: grave Tags: security Justification: user security hole Please see http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE IDs have been assigned: http://seclists.org/oss-sec/2012/q3/521 Remember Debian is frozen, so please upload only minimal fixes and and ask for a freeze exception by filing a bug against release.debian.org Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692439: tomcat6: CVE-2012-2733 CVE-2012-3439
Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html Since Wheezy is frozen, please apply isolated security fixes and do not update to a new upstream release. BTW, is it really necessary to have both tomcat6 and tomcat7 in Wheezy? Shouldn't tomcat6 be dropped in favour of tomcat7? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439
Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: CVE-2012-5783: Insecure certificate validation
Package: commons-httpclient Severity: important Tags: security Please see Section 7.5 of this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf This has been assigned CVE-2012-5783. I'm not sure if we can backport more correct certificate validation to 3.x, but independent of that it might make sense to introduce the 4.x codebase to the archive? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692650: axis: CVE-2012-5784
Package: axis Severity: grave Tags: security Justification: user security hole CVE-2012-5784 has been assigned to Axis being affected by the issues described in this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf (See Section 8.1) Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#694694: jruby: CVE-2012-5370
Package: jruby Severity: grave Tags: security Justification: user security hole Hi, please see the Red Hat bug for details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
Package: tomcat6 Severity: grave Tags: security Justification: user security hole More Tomcat security issues have been disclosed: http://tomcat.apache.org/security-6.html The page contains links to the upstream fixes. BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy? This will duplicate all efforts for security updates in Wheezy. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#695251: tomcat7: CVE-2012-4431 CVE-2012-4534 CVE-2012-3546
Package: tomcat7 Severity: grave Tags: security Justification: user security hole New security issues in Tomcat have been disclosed: http://tomcat.apache.org/security-7.html The page contains links to upstream fixes. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote: On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote: Package: tomcat6 Severity: grave Tags: security Justification: user security hole More Tomcat security issues have been disclosed: http://tomcat.apache.org/security-6.html The page contains links to the upstream fixes. BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy? This will duplicate all efforts for security updates in Wheezy. Hi Moritz, I have an updated package that includes the patches for these 3 CVEs and am doing some smoke-testing now. But before I upload, I have a question about what is permissible to include in the upload. I'd like to rename the patches that were included in the 6.0.35-5+nmu1 upload so they follow the same naming convention as the other patches in the package and include the origin patch header. (As you point out, after all, we'll be supporting this package for a long time to come.) Also, I'd like to quilt refresh the patches in the package, as they're getting a bit fuzzy. So, no substantive or real packaging changes, but the interdiff will be a bit larger. Is that okay, or should I upload with only the new patches for the CVEs applied? Release managers are busy enough already, so please keep it as minimal as possible. Regarding tomcat6 and tomcat7, although they are certainly related, they implement different versions of the servlet and JSP specifications [1], and there are a number still organizations running applications developed for/tested on tomcat6 in production. There is a migration guide for going from 6.x to 7.x that must be taken into consideration [2]. But specifically for Debian, there are still a number of packages in wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java. According to popcon, tomcat6 is about 5x more popular than tomcat7, and libservlet2.5 is quite popular indeed [3,4]. Ok, but tomcat6 should be removed for jessie, then. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#707704: tomcat7: CVE-2013-2071
Package: tomcat7 Severity: important Tags: security Three security issues were reported in tomcat today: http://tomcat.apache.org/security-7.html CVE-2013-2067 and CVE-2012-3544 were made public today, but already fixed in past releases. Hence, in comparison to stable/oldstable sid is already fixed. Note that CVE-2013-2067 and CVE-2012-3544 also affect tomcat6. tomcat6 should be removed now that wheezy is released. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#336453: eclipse-platform: feature.xml cannot be found
Package: eclipse-platform Version: 3.1.1-3 Severity: normal I can't install new extensions (features), I always get the error message Error creating feature file://usr/lib/eclipse/features/org.eclipse.platform \ .source_3.1.1 [/usr/lib/eclipse/features/org.eclipse.platform.source_3.1.1/feature.xml (No such file or directory) Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-rc1 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages eclipse-platform depends on: ii eclipse-platform-common 3.1.1-3Eclipse platform without plug-ins ii eclipse-rcp 3.1.1-3Eclipse rich client platform ii libjsch-java 0.1.19-3 java secure channel ii liblucene-java1.4.3-8full-text search engine library fo ii liblucene-java-doc1.4.3-8demonstration programs and example ii libtomcat5-java 5.0.30-7 Java Servlet engine -- core librar Versions of packages eclipse-platform recommends: pn eclipse-platform-gcj none (no description available) ii eclipse-sdk 3.1.1-3Extensible Tool Platform and Java ii java-gcj-compat 1.0.41-2 Java runtime environment using GIJ -- no debconf information ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#336453: eclipse-platform: feature.xml cannot be found
Stephan Michels wrote: On 10/30/05, Moritz Muehlenhoff [EMAIL PROTECTED] wrote: Package: eclipse-platform Version: 3.1.1-3 Severity: normal I can't install new extensions (features), I always get the error message Error creating feature file://usr/lib/eclipse/features/org.eclipse.platform \ .source_3.1.1 [/usr/lib/eclipse/features/org.eclipse.platform.source_3.1.1/feature.xml (No such file or directory) The file /usr/lib/eclipse/features/org.eclipse.platform.source_3.1.1/feature.xml should be installed by eclipse-platform-common package. Which I have installed: galadriel:~# dpkg --list | grep eclipse-platform-common ii eclipse-platform-common3.1.1-3 Eclipse platform without plug-ins to develop any language (commo $ ls -la /usr/share/eclipse/features/org.eclipse.platform_3.1.1/feature.xml -rw-r--r-- 1 root root 9633 2005-10-30 11:12 /usr/share/eclipse/features/org.eclipse.platform_3.1.1/feature.xml Do you have the package eclipse-platform-common with the version 3.1.1-3 installed? Does the file exist? Yes, it does: galadriel:~# dpkg -L eclipse-platform-common | grep feature.xml /usr/share/eclipse/features/org.eclipse.platform_3.1.1/feature.xml But the error message above seems to indicate that feature.xml is searched for in the wrong path: /usr/lib/eclipse/features/org.eclipse.platform.source_3.1.1/feature.xml Cheers, Moritz ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#340583: CVE-2005-3745: Cross-Site-Scriping vulnerability
Package: libstruts1.2-java Severity: grave Tags: security Justification: user security hole A Cross-Site-Scriping vulnerability has been found in the request handler for generating error messages. Please see http://www.securityfocus.com/archive/1/archive/1/417296/30/0/threaded for more details. It's been fixed upstream in 1.2.8. This has been assigned CVE-2005-3745, please mention it in the changelog when fixing it. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#340582: CVE-2005-3747: Incorrect input validation of HTTP requests
Package: jetty Version: 5.1.5rc1-6 Severity: grave Tags: security Justification: user security hole An input validation error when processing HTTP requests containing specially crafted characters can be exploited to display the source code of Java Server pages instead of an expected HTML response. Please see http://www.frsirt.com/english/advisories/2005/2515 for details. It's fixed upstream in 5.1.6. This has been assigned CVE-2005-3747, please mention it in the changelog when fixing it. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-2-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#716937: openjpa: CVE-2013-1768
Package: openjpa Severity: grave Tags: security Justification: user security hole Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#717031: libjgroups-java: CVE-2013-4112
Package: libjgroups-java Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4112 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#720902: libspring-java: CVE-2013-4152
Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152 for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#722290: Please migrate from ffmpeg to libav-tools
Package: jsymphonic Severity: normal User: pkg-multimedia-maintain...@lists.alioth.debian.org Usertags: ffmpeg-removal The ffmpeg binary package is no longer provided from libav. Please port your package to the avconv tools from libav-tools. Cheers, Moritz -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#726601: libcommons-fileupload-java: CVE-2013-218
Package: libcommons-fileupload-java Severity: grave Tags: security Justification: user security hole Red Hat fixed a security issue Commons FileUpload: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#730457: jenkins: CVE-2013-6372 CVE-2013-6373 CVE-2013-6374
Package: jenkins Severity: grave Tags: security Justification: user security hole Please see https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20 for references and patches. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408
Package: lucene-solr Severity: grave Tags: security Justification: user security hole CVE-2013-6397: https://issues.apache.org/jira/browse/SOLR-4882 CVE-2013-6407: https://issues.apache.org/jira/browse/SOLR-3895 CVE-2013-6408: https://issues.apache.org/jira/browse/SOLR-4881 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408
On Mon, Dec 02, 2013 at 09:56:04AM +0100, Moritz Muehlenhoff wrote: CVE-2013-6407: https://issues.apache.org/jira/browse/SOLR-3895 An additional CVE ID has been assigned to this issue: CVE-2012-6612 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#732708: jenkins: CVE-2013-5573
Package: jenkins Severity: important Tags: security Please see http://seclists.org/fulldisclosure/2013/Dec/159 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#733938: libxml-security-java: CVE-2013-4517
Package: libxml-security-java Severity: grave Tags: security Justification: user security hole Please see http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc Please prepare updated oldstable-security/stable-securitypackages for this issue and CVE-2013-2172 (as fixed in 1.5.5-2) and contact t...@security.debian.org http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#735420: libspring-java: CVE-2013-6429 CVE-2013-6430
Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages
Package: freehep-graphicsio-svg Version: 2.1.1-3 Severity: serious I ran into the following bug with stable, but the version is the same as in unstable: If I compile geogebra with the binary deb package as shipped in stable it compiles fine. However, if I rebuild freehep-graphicsio-svg in stable, the geogebra builds breaks with the following error: - src/geogebra/export/SVGExtensions.java:16: package org.freehep.graphicsio.svg does not exist public class SVGExtensions extends org.freehep.graphicsio.svg.SVGGraphics2D { ^ src/geogebra/export/GraphicExportDialog.java:59: package org.freehep.graphicsio.svg does not exist import org.freehep.graphicsio.svg.SVGGraphics2D; ^ src/geogebra/export/SVGExtensions.java:23: cannot find symbol symbol : variable os location: class geogebra.export.SVGExtensions os.println(g id=\ + s + \); ^ src/geogebra/export/SVGExtensions.java:27: cannot find symbol symbol : variable os location: class geogebra.export.SVGExtensions os.println(/g!-- + s + --); ^ src/geogebra/export/GraphicExportDialog.java:708: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog final UserProperties props = (UserProperties) SVGGraphics2D ^ src/geogebra/export/GraphicExportDialog.java:710: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog props.setProperty(SVGGraphics2D.EMBED_FONTS, !textAsShapes); ^ src/geogebra/export/GraphicExportDialog.java:711: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog props.setProperty(SVGGraphics2D.TEXT_AS_SHAPES, textAsShapes); ^ src/geogebra/export/GraphicExportDialog.java:712: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog SVGGraphics2D.setDefaultProperties(props); ^ src/geogebra/export/GraphicExportDialog.java:724: cannot find symbol symbol : method startExport() location: class geogebra.export.SVGExtensions g.startExport(); ^ src/geogebra/export/GraphicExportDialog.java:725: cannot find symbol symbol : method exportPaintPre(geogebra.export.SVGExtensions,double) location: class geogebra.euclidian.EuclidianView ev.exportPaintPre(g, exportScale); ^ src/geogebra/export/GraphicExportDialog.java:728: drawObjectsPre(java.awt.Graphics2D) in geogebra.euclidian.EuclidianView cannot be applied to (geogebra.export.SVGExtensions) ev.drawObjectsPre(g); ^ src/geogebra/export/GraphicExportDialog.java:738: drawAll(java.awt.Graphics2D) in geogebra.euclidian.DrawableList cannot be applied to (geogebra.export.SVGExtensions) ev.drawLayers[layer].drawAll(g); ^ src/geogebra/export/GraphicExportDialog.java:742: cannot find symbol symbol : method endExport() location: class geogebra.export.SVGExtensions g.endExport(); ^ src/geogebra/gui/util/BrowserLauncher.java:36: warning: non-varargs call of varargs method with inexact argument type for last parameter; cast to java.lang.Class for a varargs call cast to java.lang.Class[] for a non-varargs call and to suppress this warning Method getDesktop = desktopClass.getDeclaredMethod(getDesktop, null); ^ src/geogebra/gui/util/BrowserLauncher.java:38: warning: non-varargs call of varargs method with inexact argument type for last parameter; cast to java.lang.Object for a varargs call cast to java.lang.Object[] for a non-varargs call and to suppress this warning Object desktopObj = getDesktop.invoke(null, null); ^ Note: Some input files use or override a deprecated API. Note: Recompile with -Xlint:deprecation for details. Note: Some input fi - The rebuilt package misses a symlink. The binary package currently shipped with stable contains this: /. /usr /usr/share /usr/share/doc /usr/share/doc/libfreehep-graphicsio-svg-java /usr/share/doc/libfreehep-graphicsio-svg-java/changelog.Debian.gz /usr/share/doc/libfreehep-graphicsio-svg-java/copyright /usr/share/maven-repo /usr/share/maven-repo/org /usr/share/maven-repo/org/freehep /usr/share/maven-repo/org/freehep/freehep-graphicsio-svg /usr/share/maven-repo/org/freehep/freehep-graphicsio-svg/debian
Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages
On Thu, Jan 23, 2014 at 04:13:19PM +0100, Moritz Muehlenhoff wrote: Package: freehep-graphicsio-svg Version: 2.1.1-3 Severity: serious I ran into the following bug with stable, but the version is the same as in unstable: If I compile geogebra with the binary deb package as shipped in stable it compiles fine. However, if I rebuild freehep-graphicsio-svg in stable, the geogebra builds breaks with the following error: - src/geogebra/export/SVGExtensions.java:16: package org.freehep.graphicsio.svg does not exist public class SVGExtensions extends org.freehep.graphicsio.svg.SVGGraphics2D { ^ src/geogebra/export/GraphicExportDialog.java:59: package org.freehep.graphicsio.svg does not exist import org.freehep.graphicsio.svg.SVGGraphics2D; ^ src/geogebra/export/SVGExtensions.java:23: cannot find symbol symbol : variable os location: class geogebra.export.SVGExtensions os.println(g id=\ + s + \); ^ src/geogebra/export/SVGExtensions.java:27: cannot find symbol symbol : variable os location: class geogebra.export.SVGExtensions os.println(/g!-- + s + --); ^ src/geogebra/export/GraphicExportDialog.java:708: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog final UserProperties props = (UserProperties) SVGGraphics2D ^ src/geogebra/export/GraphicExportDialog.java:710: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog props.setProperty(SVGGraphics2D.EMBED_FONTS, !textAsShapes); ^ src/geogebra/export/GraphicExportDialog.java:711: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog props.setProperty(SVGGraphics2D.TEXT_AS_SHAPES, textAsShapes); ^ src/geogebra/export/GraphicExportDialog.java:712: cannot find symbol symbol : variable SVGGraphics2D location: class geogebra.export.GraphicExportDialog SVGGraphics2D.setDefaultProperties(props); ^ src/geogebra/export/GraphicExportDialog.java:724: cannot find symbol symbol : method startExport() location: class geogebra.export.SVGExtensions g.startExport(); ^ src/geogebra/export/GraphicExportDialog.java:725: cannot find symbol symbol : method exportPaintPre(geogebra.export.SVGExtensions,double) location: class geogebra.euclidian.EuclidianView ev.exportPaintPre(g, exportScale); ^ src/geogebra/export/GraphicExportDialog.java:728: drawObjectsPre(java.awt.Graphics2D) in geogebra.euclidian.EuclidianView cannot be applied to (geogebra.export.SVGExtensions) ev.drawObjectsPre(g); ^ src/geogebra/export/GraphicExportDialog.java:738: drawAll(java.awt.Graphics2D) in geogebra.euclidian.DrawableList cannot be applied to (geogebra.export.SVGExtensions) ev.drawLayers[layer].drawAll(g); ^ src/geogebra/export/GraphicExportDialog.java:742: cannot find symbol symbol : method endExport() location: class geogebra.export.SVGExtensions g.endExport(); ^ src/geogebra/gui/util/BrowserLauncher.java:36: warning: non-varargs call of varargs method with inexact argument type for last parameter; cast to java.lang.Class for a varargs call cast to java.lang.Class[] for a non-varargs call and to suppress this warning Method getDesktop = desktopClass.getDeclaredMethod(getDesktop, null); ^ src/geogebra/gui/util/BrowserLauncher.java:38: warning: non-varargs call of varargs method with inexact argument type for last parameter; cast to java.lang.Object for a varargs call cast to java.lang.Object[] for a non-varargs call and to suppress this warning Object desktopObj = getDesktop.invoke(null, null); ^ Note: Some input files use or override a deprecated API. Note: Recompile with -Xlint:deprecation for details. Note: Some input fi - The rebuilt package misses a symlink. The binary package currently shipped with stable contains this: /. /usr /usr/share /usr/share/doc /usr/share/doc/libfreehep-graphicsio-svg-java /usr/share/doc/libfreehep-graphicsio-svg-java/changelog.Debian.gz /usr/share/doc/libfreehep-graphicsio-svg-java/copyright /usr/share/maven-repo /usr/share/maven
Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages
On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote: In didn't some digging in the reverse deps and found the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043 In fact, adding that patch to the version of maven-debian-helper in Wheezy and rebuilding the source packages mentioned above fixes the geogebra build. I'm adding the Debian Java maintainers to CC, what's the proper fix forward here, should the patch from #688043 be shipped in a point release or are the freehep packages buggy and require other fixes? This bug also applies to geronimo-jta-1.1-spec. Rebuilding it in stable leads to a broken package which e.g. results in additional build failures of libhibernate-jbosscache-java. Also reported independently as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708405 Rebuilding geronimo-jta-1.1-spec with the maven-debian-helper patch above fixes that as well. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages
On Tue, Jan 28, 2014 at 07:45:41AM +0100, Moritz Muehlenhoff wrote: On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote: In didn't some digging in the reverse deps and found the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043 In fact, adding that patch to the version of maven-debian-helper in Wheezy and rebuilding the source packages mentioned above fixes the geogebra build. I'm adding the Debian Java maintainers to CC, what's the proper fix forward here, should the patch from #688043 be shipped in a point release or are the freehep packages buggy and require other fixes? This bug also applies to geronimo-jta-1.1-spec. Rebuilding it in stable leads to a broken package which e.g. results in additional build failures of libhibernate-jbosscache-java. Also reported independently as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708405 Rebuilding geronimo-jta-1.1-spec with the maven-debian-helper patch above fixes that as well. doxia-sitetools is also affected by the same bug. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#740586: mojarra: CVE-2013-5855
Package: mojarra Severity: grave Tags: security Justification: user security hole Hi, this was assigned CVE-2013-5855: https://java.net/jira/browse/JAVASERVERFACES-3150 Fix: https://java.net/projects/mojarra/sources/svn/revision/12793 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#741604: libspring-java: Multiple security issues
Package: libspring-java Severity: grave Tags: security Justification: user security hole http://www.gopivotal.com/security/cve-2014-0054 http://www.gopivotal.com/security/cve-2014-1904 I'm not sure whether these are worth a DSA? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#753470: libspring-java: CVE-2014-0225
Package: libspring-java Severity: grave Tags: security Justification: user security hole Hi, please see http://www.gopivotal.com/security/cve-2014-0225 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#758516: Struts 1.2 should not be shipped with jessie
Package: libstruts1.2-java Severity: serious Struts 1.x is EOLed upstream, it should not be included in jessie: http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#759470: libopensaml2-java: CVE-2014-3603
Package: libopensaml2-java Severity: grave Tags: security Justification: user security hole Please see http://shibboleth.net/community/advisories/secadv_20140813.txt Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#759526: not-yet-commons-ssl: CVE-2014-3604
Package: not-yet-commons-ssl Severity: grave Tags: security Justification: user security hole This was assigned CVE-2014-3604: http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#758516: Struts 1.2 should not be shipped with jessie
On Tue, Sep 16, 2014 at 12:12:03AM +0200, Emmanuel Bourg wrote: Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit : Then it should be easy to remove? Actually it's easier to keep it, since a removal induces more work to update the reverse dependencies. Well, but if we keep old, unsupported libs around, people might be exposed by running code not shipped in Debian, but using these libraries. Sure but we are not responsible for such things. This library can be downloaded from other places like Maven Central, removing it won't change anything. That's not how we handle in Debian: If a library is shipped in Debian, it is fully supported to be used by local libs. Anything in /usr/local or installed through Maven is of course the responsibility of the user. So we should go ahead with the removal of struts 1.2 by filing RC bugs against the packages using it. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#763608: CVE-2014-3607
Source: libvt-ldap-java Severity: grave Tags: security This has been assigned CVE-2014-3607: https://code.google.com/p/vt-middleware/issues/detail?id=226 http://shibboleth.net/community/advisories/secadv_20140919.txt Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#760733: libspring-java: CVE-2014-0225
On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote: I've been investigating this issue as well. I contacted an upstream developer and it seems the actual fix for this issue is unknown. The version 3.2.0 was just reported as not vulnerable by the security researched who discovered this issue. I can prepare an upgrade to the latest 3.2.x version but this will at least require libhibernate-validator-java to be unblocked as well. I didn't look into the specific issue, but Red Hat Bugzilla has references to isolated patches? https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398
Package: async-http-client Severity: important Tags: security Hi, please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 : https://github.com/AsyncHttpClient/async-http-client/issues/352 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 : https://github.com/AsyncHttpClient/async-http-client/issues/197 https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434 It would be nice if we could address CVE-2013-7398 for jessie. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398
On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote: Hi Moritz, Thank you for the report Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 : https://github.com/AsyncHttpClient/async-http-client/issues/352 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 : https://github.com/AsyncHttpClient/async-http-client/issues/197 https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434 It seems the version 1.6.5 in wheezy/jessie/unstable is not affected by CVE-2013-7398. The class AllowAllHostnameVerifier doesn't exist, in this version the user of the API has to provide its own HostnameVerifier. I confirm the version 1.6.5 is affected by CVE-2013-7397. Thanks. I've updated the security tracker. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#774050: CVE-2014-9390
Source: jgit Severity: important Tags: security jgit is also affected by the recent git vulnerability: http://openwall.com/lists/oss-security/2014/12/18/21 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600
Package: activemq Severity: important Tags: security Hi, please see http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt (but the admin console isn't enabled, so this should be moot? (702670)) http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600
On Fri, Feb 06, 2015 at 01:56:35PM +0100, Emmanuel Bourg wrote: For CVE-2014-3600: https://github.com/apache/activemq/commit/b9696ac8 https://issues.apache.org/jira/browse/AMQ-5333 Could you please upload a fixed package for CVE-2014-3612 and CVE-2014-3600? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#775171: libapache-poi-java: CVE-2014-9527
Package: libapache-poi-java Severity: important Tags: security Justification: user security hole This was assigned CVE-2014-9527: https://issues.apache.org/bugzilla/show_bug.cgi?id=57272 Could you please make a targeted fix for jessie? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#777741: wss4j: CVE-2015-0226 CVE-2015-0227
Package: wss4j Severity: grave Tags: security Justification: user security hole Hi, please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0226 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0227 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780102: libjbcrypt-java: CVE-2015-0886
Package: libjbcrypt-java Severity: grave Tags: security Justification: user security hole Hi, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886 http://www.mindrot.org/projects/jBCrypt/news/rel04.html https://bugzilla.mindrot.org/show_bug.cgi?id=2097 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#781223: jenkins: Multiple security issues
Package: jenkins Severity: grave Tags: security Justification: user security hole Hi, please see https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23: SECURITY-171 is CVE-2015-1812 SECURITY-177 is CVE-2015-1813 SECURITY-180 is CVE-2015-1814 and https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27: SECURITY-125 is CVE-2015-1806 SECURITY-162 is CVE-2015-1807 SECURITY-163 is CVE-2015-1808 SECURITY-165 is CVE-2015-1809 SECURITY-166 is CVE-2015-1810 SECURITY-167 is CVE-2015-1811 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack
On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote: On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote: Hi, On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: Is there an example available somewhere of a subject improperly parsed by commons-httpclient/3.1-10.2? This would help backporting the fix to this version. I think this is already fixed in 3.1-10.2, see the Red Hat bug as reference and See https://bugs.debian.org/692442#56 and and following mails. I don't understand this from those mails. On the contrary, RedHat did update their packages with a new patch on top of the former patch: https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch And the Debian package still have the old version of getCN(). What's the status? Can we get that fixed for jessie? *ping*, the release is getting closer. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#779621: jakarta-taglibs-standard: CVE-2015-0254
Package: jakarta-taglibs-standard Severity: important Tags: security Please see http://www.securityfocus.com/archive/1/534772 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558
severity 762690 important thx On Sun, Nov 02, 2014 at 11:38:30PM +0100, Emmanuel Bourg wrote: libhibernate-validator-java is only used as a build dependency of libhibernate3-java. No package depends on it at runtime, so the risk of being affected by this vulnerability is rather low, if not zero. I'm downgrading the severity to normal. No need to treat it as a RC security bug. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#787316: CVE-2015-1833
Source: jackrabbit Severity: grave Tags: security Hi, please see https://issues.apache.org/jira/browse/JCR-3883 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#796137: CVE-2015-3192
Source: libspring-java Severity: important Tags: security Please see https://pivotal.io/security/cve-2015-3192 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#780383: libopensaml2-java: CVE-2015-1796
On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote: On 05/06/2015 10:54 PM, tony mancill wrote: An update on this... I'm in the midst of packaging 2.6.5, but it in turn requires an update to libxmltooling-java to version 1.4.4, which I am working on now. In an email exchange with Scott Cantor, who works on this family of libraries upstream, he stated that the v2 libraries will be EOL this summer, and that he would advise not to ship them in a release unless Debian will maintain them. Based upon that information, the low popcon, and the fact that this cluster of packages appear to be leaf packages (I can't find r-deps for them): libopenws-java libshib-common-java libopensaml2-java libshib-parent-project2-java I'm not going to take action to prevent the automated removal from testing and am considering requesting that the packages be removed from the archive. If people are using these libraries and can make a case for them being available in Debian, please speak up. Since noone objected and since they're already dropped from testing for three weeks now, I'll also request removal from unstable now. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#793911: groovy should not release with stretch
Package: groovy Severity: serious A separate source package groovy2 was uploaded, so reverse dependencies need to be migrated to that one and groovy removed. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.