subject:"Bug#1068695\: bookworm\-pu\: package json\-smart\/2.2\-2\+deb12u1"

Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1

2024-05-10 Thread Jonathan Wiltshire

Control: tag -1 confirmed


Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1

2024-04-09 Thread Andreas Beckmann

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Bastien Roucariès 
Control: affects -1 + src:json-smart
Control: block 1039985 with -1
Control: block 1033474 with -1

[ Reason ]
Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
causing version skew on upgrades:

 json-smart | 2.2-1 | stretch | source
 json-smart | 2.2-2 | buster  | source
 json-smart | 2.2-2 | bullseye| source
 json-smart | 2.2-2 | bookworm| source
 json-smart | 2.2-2 | trixie  | source
 json-smart | 2.2-2 | sid | source
 json-smart | 2.2-2+deb10u1 | buster-security | source

[ Impact ]
Unfixed CVEs.
Versions going backward and confusing QA tools.

[ Tests ]
Build-time testsuite contains a new test.

[ Risks ]
Fixed version in buster-lts for one year already.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  NMU in DELAYED

[ Changes ]
 debian/changelog   |  33 +
 debian/control |   4 +-
 .../patches/0004-CVE-2021-31684-Fix-indexOf.patch  |  27 
 ...70-stack-overflow-due-to-excessive-recurs.patch | 156 +
 debian/patches/01-bundle-dependencies.patch|  15 +-
 debian/patches/02-ignore-failing-tests.patch   |  16 ++-
 debian/patches/series  |   2 +
 7 files changed, 244 insertions(+), 9 deletions(-)

json-smart (2.2-2+deb12u1) bookworm; urgency=medium

  * Non-maintainer upload.
  * Rebuild for bookworm.  (Closes: #1039985)

 -- Andreas Beckmann   Tue, 09 Apr 2024 10:01:36 +0200

json-smart (2.2-2+deb11u1) bullseye; urgency=medium

  * Non-maintainer upload.
  * Update Vcs-* URLs to point to salsa.debian.org.
  * Rebuild for bullseye.  (Closes: #1039985)

 -- Andreas Beckmann   Tue, 09 Apr 2024 09:36:58 +0200

json-smart (2.2-2+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * CVE-2023-1370: stack overflow due to excessive recursion
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
parses an array or an object respectively. It was discovered that the
code does not have any limit to the nesting of such arrays or
objects. Since the parsing of nested arrays and objects is done
recursively, nesting too many of them can cause a stack exhaustion
(stack overflow) and crash the software. (Closes: #1033474)
  * CVE-2021-31684: Fix indexOf
A vulnerability was discovered in the indexOf function of
JSONParserByteArray in JSON Smart versions 1.3 and 2.4
which causes a denial of service (DOS)
via a crafted web request.

 -- Bastien Roucariès   Wed, 29 Mar 2023 22:21:33 +

[ Other info ]
n/a


Andreas
diff --git a/debian/changelog b/debian/changelog
index 70116d2..877457c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+json-smart (2.2-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bookworm.  (Closes: #1039985)
+
+ -- Andreas Beckmann   Tue, 09 Apr 2024 10:01:36 +0200
+
+json-smart (2.2-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Update Vcs-* URLs to point to salsa.debian.org.
+  * Rebuild for bullseye.  (Closes: #1039985)
+
+ -- Andreas Beckmann   Tue, 09 Apr 2024 09:36:58 +0200
+
+json-smart (2.2-2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * CVE-2023-1370: stack overflow due to excessive recursion
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code
+parses an array or an object respectively. It was discovered that the
+code does not have any limit to the nesting of such arrays or
+objects. Since the parsing of nested arrays and objects is done
+recursively, nesting too many of them can cause a stack exhaustion
+(stack overflow) and crash the software. (Closes: #1033474)
+  * CVE-2021-31684: Fix indexOf
+A vulnerability was discovered in the indexOf function of
+JSONParserByteArray in JSON Smart versions 1.3 and 2.4
+which causes a denial of service (DOS)
+via a crafted web request.
+
+ -- Bastien Roucariès   Wed, 29 Mar 2023 22:21:33 +
+
 json-smart (2.2-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/control b/debian/control
index 6488a01..deb7c40 100644
--- a/debian/control
+++ b/debian/control
@@ -6,8 +6,8 @@ Uploaders: Emmanuel Bourg 
 Build-Depends: debhelper (>= 10), default-jdk, maven-debian-helper (>= 1.5)
 Build-Depends-Indep: libmaven-bundle-plugin-java, junit
 Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/json-smart.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/json-smart.git
+Vcs-Browser:

Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1

Bug#1068695: bookworm-pu: package json-smart/2.2-2+deb12u1

2 matches

Site Navigation

Mail list logo

Footer information