Re: Bug#1057343: Processed: Re: Bug#1057315: tiles: CVE-2023-49735

2023-12-04 Thread Moritz Muehlenhoff 
On Mon, Dec 04, 2023 at 09:13:41AM +, Holger Levsen wrote:
> Hi Salvatore,
> 
> thanks for your continous work on Debian security!
> 
> On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote:
> > > clone -1 -2 -3
> > Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> > Bug 1057315 cloned as bugs 1057342-1057343
> > > retitle -2 tiles: Add README.Debian.security to document support status
> > > reassign -3 src:debian-security-support
> > > retitle -3 Mark tiles as only supported for building applications shipped 
> > > in Debian
>  
> ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?

The note to EOL libspring-java is only in Bookworm, so this is only needed for
Bookworm as well.

For Buster Spring is marked as EOLed, so it should probably just use the same,
I'll someone from Debian LTS chime in.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1057315: tiles: CVE-2023-49735

2023-12-03 Thread Moritz Muehlenhoff 
Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> The project is dead-upstream TTBOMK, so not sure if/what we can do at
> all for this issue. Removal seems not possible as per:
> 
> carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
> Will remove the following packages from unstable:
> 
> libtiles-java |3.0.7-5 | all
> libtiles-java-doc |3.0.7-5 | all
>  tiles |3.0.7-5 | source
> 
> Maintainer: Debian Java Maintainers 
> 
> 
> --- Reason ---
> 
> --
> 
> Checking reverse dependencies...
> # Broken Build-Depends:
> libspring-java: libtiles-java (>= 3.0)
> 
> Dependency problem found.
> 
> carnil@respighi:~$
> 
> But maybe we can set it as "no-dsa", is it only used as build
> dependency for libspring-java and not sensible outside?

Spring is already marked as unsupported, so we can simply extend that.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1041498: bookworm-pu: package testng7/7.5-2~deb12u1

2023-07-19 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: test...@packages.debian.org, d...@debian.org, 
vladimir.pe...@canonical.com
Control: affects -1 + src:testng7

We need to introduce a backport of testng7 in the version found in trixie
to bookworm (and TBD, also for bullseye).

It's needed for the latest versions of openjdk-17 LTS (as part of the
test suite).

The debdiff below is against the version of testng7 in trixie
(since the package is new in bookworm).

Cheers,
Moritz

diff -Nru testng7-7.5/debian/changelog testng7-7.5/debian/changelog
--- testng7-7.5/debian/changelog2023-06-15 20:21:39.0 +0200
+++ testng7-7.5/debian/changelog2023-07-19 21:03:12.0 +0200
@@ -1,3 +1,9 @@
+testng7 (7.5-2~deb12u1) bookworm; urgency=medium
+
+  * Build for Bookworm, needed by latest OpenJDK 17 LTS releases
+
+ -- Moritz Mühlenhoff   Wed, 19 Jul 2023 21:03:12 +0200
+
 testng7 (7.5-2) unstable; urgency=medium
 
   * Source-only upload.
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1041397: bookworm-pu: package asmtools/7.0-b09-2~deb11u1

2023-07-18 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: asmto...@packages.debian.org, ebo...@apache.org
Control: affects -1 + src:asmtools

We need to introduce a backport of asmtools in the version found in bookworm
to bullseye. It's needed for the latest versions of openjdk-11 LTS (as part
of the test suite).

The debdiff below is against the version of asmtools in bookworm
(since the package is new in bullseye).

Cheers,
Moritz

diff -Nru asmtools-7.0-b09/debian/changelog asmtools-7.0-b09/debian/changelog
--- asmtools-7.0-b09/debian/changelog   2023-02-06 21:22:12.0 +0100
+++ asmtools-7.0-b09/debian/changelog   2023-07-16 15:58:23.0 +0200
@@ -1,3 +1,9 @@
+asmtools (7.0-b09-2~deb11u1) bullseye; urgency=medium
+
+  * Rebuild for Bullseye, needed for latest openjdk-11
+
+ -- Moritz Mühlenhoff   Sun, 16 Jul 2023 15:58:23 +0200
+
 asmtools (7.0-b09-2) unstable; urgency=medium
 
   * Source only upload
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1034824: tomcat9 should not be released with Bookworm

2023-05-26 Thread Moritz Muehlenhoff 
On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote:
> First of all trapperkeeper-webserver-jetty9-clojure should add a build-
> dependency on logback to detect such regressions in advance.
> 
> #1036250 is mainly a logback problem, not a tomcat problem. I still would like
> to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we
> don't find a solution though.
> 
> The tomcatjss / dogtag-pki situation is simple too. If there is no way to make
> the application work with Tomcat 10, then there are three options:
> 
> 1. Embed Tomcat 9 in your application by creating a standalone jar
> 
> 2. Continue to use the current Tomcat 9 package as is but make sure that 
> nobody
> else than dogtag-pki uses it. (Package descriptions should be adjusted, and 
> the
> binary tomcat9 package should be probably removed too) Nobody should think 
> that
> we support two major Tomcat versions.
> 
> In any case the dogtag-pki maintainers must commit to at least three years of
> security support, web application + Tomcat 9. Otherwise this is pointless.
> 
> 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as soon
> as dogtag-pki and Co support Tomcat 10.

Can't we just do the pragmatic fix of updating src:tomcat9 to only ship
libtomcat9-java and libtomcat9-embed-java? The maintenance burden for
security updates lies within the server stack, the percentage of issues
affecting the libtomcat9-java binary packages as used by rdeps will be small
to none?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1031733: libcommons-fileupload-java: CVE-2023-24998

2023-02-22 Thread Moritz Muehlenhoff 
On Tue, Feb 21, 2023 at 09:48:35PM -0800, tony mancill wrote:
> On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote:
> > Source: libcommons-fileupload-java
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for libcommons-fileupload-java.
> > 
> > CVE-2023-24998[0]:
> > | Apache Commons FileUpload before 1.5 does not limit the number of
> > | request parts to be processed resulting in the possibility of an
> > | attacker triggering a DoS with a malicious upload or series of
> > | uploads.
> > 
> > https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
> > https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
> 
> I have a patched version of 1.4 ready to upload using the upstream
> patch.  However, based on reading the thread above, having the ability
> to limit the number of request parts is in the library is not the same
> as actually limiting the request parts.  The patched library defaults to
> an unlimited number, so it is necessary but not sufficient to mitigate
> the risk.
> 
> Is it safe to assume that CVEs will be created for the software
> components that use commons-fileupload, and so I can go ahead and upload
> the patched 1.4 version and mark CVE-2023-24998 as complete?

We can consider CVE-2023-24998 by itself as fixed with your backport, it happens
from time to time that a fix requires a new API or other related changes on the
calling side of a function.

Adapting a codebase to the new function is outside the scope of the CVE system,
if we know any reverse dependency which needs to set fileCountMax, we can patch
it, but often such a setting is also highly dependent on the setup and a 
site-specific
setting.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1030046: Document snakeyaml security expectations

2023-02-06 Thread Moritz Muehlenhoff 
On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote:
> Hi,
> 
> Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
> > 
> > Could we please add a README.Debian.security with something like the
> > following
> > to make this also visible to users?
> > 
> > 
> > Note that snakeyaml isn't designed to operate on YAML data coming from
> > untrusted
> > sources, in such cases you need to apply sanitising/exception handling
> > yourself.
> > 
> > Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
> > for additional information.
> > 
> 
> Sure, that's doable. But how do we treat the current and new CVE in stable and
> oldstable releases? no-dsa, ignored or keep them open until upstream 
> eventually
> fixes them?

Good question! How about we ship whatever is currently fixed upstream in LTS/
Bullseye 11.7 and ship such a README.Debian.security alongside, then we can
just as well apply to all further/future snakeyaml issues and mark them as
 (unimportant) ?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1030046: Document snakeyaml security expectations

2023-01-30 Thread Moritz Muehlenhoff 
Source: snakeyaml
Version: 1.33-1
Severity: important

Google's oss-fuzz found various cases where snakeyaml triggers an exception
on malformed YAML input. These end up blindly being picked by various
security web sites (since CVE IDs) were assigned.

This is causing lots of overhead/annoyance for the upstream developers
(as voiced in 
https://bitbucket.org/snakeyaml/snakeyaml/issues/551/snakeyaml-cves-from-oss-fuzz)
and they released 
https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
to document expectations.

Could we please add a README.Debian.security with something like the following
to make this also visible to users?


Note that snakeyaml isn't designed to operate on YAML data coming from untrusted
sources, in such cases you need to apply sanitising/exception handling yourself.

Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
for additional information.


Cheers,
Moritz


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#989259: CVE-2021-28170

2021-05-30 Thread Moritz Muehlenhoff 
Source: jakarta-el-api
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

This was assigned CVE-2021-28170:
https://github.com/eclipse-ee4j/el-ri/issues/155
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#988946: CVE-2020-10693

2021-05-21 Thread Moritz Muehlenhoff 
Package: libhibernate-validator-java
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-10693:
https://bugzilla.redhat.com/show_bug.cgi?id=1805501

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#988944: CVE-2020-7692

2021-05-21 Thread Moritz Muehlenhoff 
Source: google-oauth-client-java
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-7692:
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
https://github.com/googleapis/google-oauth-java-client/issues/469
https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#988728: CVE-2020-17523 CVE-2020-17510 CVE-2020-11989

2021-05-18 Thread Moritz Muehlenhoff 
Source: shiro
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2020-17523:
https://www.openwall.com/lists/oss-security/2021/02/01/3
https://issues.apache.org/jira/browse/SHIRO-797

CVE-2020-17510:
https://www.openwall.com/lists/oss-security/2020/11/04/7
https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349284=Text=12310950

CVE-2020-11989:
https://www.openwall.com/lists/oss-security/2020/06/22/1
https://github.com/apache/shiro/pull/211
https://issues.apache.org/jira/browse/SHIRO-753

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#987284: CVE-2021-29428 CVE-2021-29429

2021-04-20 Thread Moritz Muehlenhoff 
Package: gradle
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

CVE-2021-29429
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8

CVE-2021-29428
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336

Cheers,
Moritz  


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#986805: CVE-2021-28657

2021-04-12 Thread Moritz Muehlenhoff 
Source: tika
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

https://www.openwall.com/lists/oss-security/2021/03/30/3

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#984666: CVE-2020-9489

2021-03-06 Thread Moritz Muehlenhoff 
Source: tika
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

This was assigned CVE-2020-9489:
https://www.openwall.com/lists/oss-security/2020/04/24/1

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#980816: Clarify requirement for safe default typing?

2021-01-22 Thread Moritz Muehlenhoff 
Source: jackson-databind
Severity: important
X-Debbugs-Cc: car...@debian.org, a...@debian.org

Starting with 2.10 (and thus in Bullseye) upstream makes safe default
typing required, the absense is no longer considered a security issue,
see e.g. here:

https://github.com/FasterXML/jackson-databind/issues/2798
| Not considered valid CVE for Jackson 2.10.0 and later (see
| 
https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)

I'm wondering how to best convey this, maybe via a NEWS entry or
simply accept is as given?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#973381: CVE-2020-5421

2020-10-29 Thread Moritz Muehlenhoff 
Source: libspring-java
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

Please see https://tanzu.vmware.com/security/cve-2020-5421

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#972231: CVE-2020-15250

2020-10-14 Thread Moritz Muehlenhoff 
Package: junit4
Version: 4.12-8
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

Please see 
https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#972230: CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613

2020-10-14 Thread Moritz Muehlenhoff 
Package: jruby
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

jruby bundles various modules from the Ruby stdlib, which have been affected by
security issues:

CVE-2017-17742:
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16

CVE-2019-16201
https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
https://hackerone.com/reports/661722
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/

CVE-2019-16254
https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
https://hackerone.com/reports/331984
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

CVE-2019-16255
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640

CVE-2020-25613
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7


The root cause for all of this is #926280

Cheers,
Moritz


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#972034: Multiple security issues affecting intellij-community-idea?

2020-10-11 Thread Moritz Muehlenhoff 
Source: intellij-community-idea
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

There's multiple securities for JetBrains, but it's not really obvious
whether they affect libraries src:intellij-community-idea or only
parts not packaged, can you please check so that we can update the
Security Tracker accordingly?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#970585: CVE-2020-25633

2020-09-19 Thread Moritz Muehlenhoff 
Source: resteasy
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

There isn't much information at this point, we got it from Red Hat
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1879042

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#970328: CVE-2020-10688

2020-09-14 Thread Moritz Muehlenhoff 
Source: resteasy
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

This was assigned CVE-2020-10688:

https://bugzilla.redhat.com/show_bug.cgi?id=1814974
https://github.com/quarkusio/quarkus/issues/7248
https://issues.redhat.com/browse/RESTEASY-2519

Cheers,
Moritz
   

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#969913: CVE-2020-10719

2020-09-08 Thread Moritz Muehlenhoff 
Source: undertow
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

It's scarce on details, but this was assigned CVE-2020-10719:
https://bugzilla.redhat.com/show_bug.cgi?id=1828459

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#968753: CVE-2020-13933

2020-08-20 Thread Moritz Muehlenhoff 
Source: shiro
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

This was assigned CVE-2020-13933:
https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#934319: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

2019-08-09 Thread Moritz Muehlenhoff 
Source: icedtea-web
Severity: grave
Tags: security

Please see https://www.openwall.com/lists/oss-security/2019/07/31/2

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Re: java-common_0.58+deb9u1_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates

2019-04-18 Thread Moritz Muehlenhoff 
On Thu, Apr 18, 2019 at 07:58:05PM +0200, Emmanuel Bourg wrote:
> Le 18/04/2019 à 19:32, Debian FTP Masters a écrit :
> 
> >  java-common (0.58+deb9u1) stretch; urgency=medium
> >  .
> >* Remove default-java-plugin as the icedtea-web Xul plugin is going away
> >* Also drop the Recommends: to default-java-plugin in default-jre
> 
> It would be nice to keep a Recommends on icedtea-netx, otherwise a
> default installation of the JRE no longer supports JNLP applications.

Sure, feel free to propose a +deb9u2 with the additional change.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#926280: Don't bundle rubygems

2019-04-02 Thread Moritz Muehlenhoff 
Package: jruby
Severity: important

(This bug isn't really actionable yet, as it depends on #926278 getting fixed
in src:ruby2.5)

Please don't use the bundled rubygems any longer, but instead a copy shared
with the C-based Ruby interpreter.

Given that most of the security issues in the C-based interpreter don't
affect Jruby (apart from the rubygems) this will considerably reduce the
overhead for keeping jruby updated in stable/oldstable.

I spoke to upstream (CCed) earlier and they confirmed that jruby bundles
the rubygems unmodified, so that should not cause any run time issues.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#925987: CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

2019-03-29 Thread Moritz Muehlenhoff 
Package: jruby
Severity: grave
Tags: security

jruby embeds a version of rubygems, so it's affected by
https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#925986: CVE-2018-1000073

2019-03-29 Thread Moritz Muehlenhoff 
Package: jruby
Severity: grave
Tags: security

CVE-2018-173 is not fixed in the rubygems bundled in jruby,
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2

The other 2018 rubygems issues are fixed in the bundled copy.

For bullseye we should really fix jruby to use a common rubygems
binary package.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#921772: CVE-2018-1000652

2019-02-08 Thread Moritz Muehlenhoff 
Package: jabref
Severity: grave
Tags: security

This was assigned CVE-2018-1000652:
https://github.com/JabRef/jabref/issues/4229
https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e

Cheers,
Moritz
  

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it

2018-11-08 Thread Moritz Muehlenhoff 
On Thu, Nov 08, 2018 at 07:42:35PM +0100, Markus Koschany wrote:
> Am 08.11.18 um 19:34 schrieb Moritz Mühlenhoff:
> [...]
> > So upon a closer look this seems to only affect the 8.x releases of the
> > connector (Oracle only lists those affected release series which are
> > affected and this only lists 8.x, while 5.1.x is still supported; there's
> > a 5.1.47 release).
> > 
> > Still, this is good example why we should phase out mysql-connector-java
> > in favour of the more transparent mariadb-connector-java, so let's maybe
> > reuse this bug for tracking this? (Especially given Tony's experience
> > that the migration is rather straightforward).
> 
> I'm currently working on updating the affected packages. I intend to
> complete this at the weekend. Some packages are not maintained by the
> Java team, so I will retitle this bug report and file bugs for those
> packages that block the removal of mysql-connector-java. I will CC you
> once I have made some progress.

Great, thanks! Much appreciated.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#911796: CVE-2018-14642

2018-10-24 Thread Moritz Muehlenhoff 
Source: undertow
Severity: important
Tags: security

Limited details so far:
https://bugzilla.redhat.com/show_bug.cgi?id=1628702

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#905215: CVE-2018-2941

2018-10-07 Thread Moritz Muehlenhoff 
On Sun, Oct 07, 2018 at 01:04:38PM +0200, Markus Koschany wrote:
> Hi,
> 
> On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff 
> wrote:
> > Source: openjfx
> > Severity: grave
> > Tags: security
> > 
> > http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
> > fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.
> 
> We have recently upgraded OpenJFX to version 11. It is not listed as a
> vulnerable version in Oracle's security advisory. I presume if it has
> been vulnerable they would have fixed it in OpenJFX 11 too by now. Do
> you have more information about this vulnerability because I can't find
> any details on the web.

No, unfortunately it's the same "we fix, but don't tell" bullshit policy
as with all other Oracle products.

Given that mediathekview is our only reverse dependency in stretch we
can probably mark it as ignored for stretch anyway?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#906770: README.Debian could use some clarificatons

2018-08-20 Thread Moritz Muehlenhoff 
Source: jetty9
Severity: normal

For my tests of the jetty9 security update for stretch (released as
DSA 4278) I had looked into creating a test setup and the README.Debian
confused me quite a bit (and external references usally refer to a
totally different way to deploy Jetty using the upstream packages):

It mentions:
| Additional contexts can be configured and (hot) deployed via the
| /etc/jetty9/contexts directory (linked from /usr/share/jetty9/contexts).

But it seems that is now replaced by /etc/jetty9/start.d?`

Also from
| Webapps can be deployed by placing them in /var/lib/jetty9/webapps
| (linked from /usr/share/jetty9/webapps)

it wasn't obvious for me whether the .war file or a config file should
be placed in /var/lib/jetty9/webapps.

(I eventually had a look at solr-jetty (which I eventually used for testing) and
it places a symlink to /etc/solr/sol-jetty.xml in there.)

Cheers,
Moritz


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#905215: CVE-2018-2941

2018-08-01 Thread Moritz Muehlenhoff 
Source: openjfx
Severity: grave
Tags: security

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#897259: CVE-2018-1297

2018-04-30 Thread Moritz Muehlenhoff 
Source: jakarta-jmeter
Severity: important
Tags: security

Please see http://www.openwall.com/lists/oss-security/2018/02/11/1

The changes at https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
are mostly about adding SSL support and describing how to build
a secure setup, so maybe a NEWS file is warranted?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.