Re: Bug#1057343: Processed: Re: Bug#1057315: tiles: CVE-2023-49735

On Mon, Dec 04, 2023 at 09:13:41AM +, Holger Levsen wrote: > Hi Salvatore, > > thanks for your continous work on Debian security! > > On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote: > > > clone -1 -2 -3 > > Bug #1057315 [src:tiles] tiles: CVE-2023-49735 > > Bug

Bug#1057315: tiles: CVE-2023-49735

Salvatore Bonaccorso wrote: > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > The project is dead-upstream TTBOMK, so not sure if/what we can do at > all for this issue. Removal seems not possible as per:

Bug#1041498: bookworm-pu: package testng7/7.5-2~deb12u1

Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: test...@packages.debian.org, d...@debian.org, vladimir.pe...@canonical.com Control: affects -1 + src:testng7 We need to introduce a backport of testng7 in the

Bug#1041397: bookworm-pu: package asmtools/7.0-b09-2~deb11u1

Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: asmto...@packages.debian.org, ebo...@apache.org Control: affects -1 + src:asmtools We need to introduce a backport of asmtools in the version found in bookworm to

Bug#1034824: tomcat9 should not be released with Bookworm

On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote: > First of all trapperkeeper-webserver-jetty9-clojure should add a build- > dependency on logback to detect such regressions in advance. > > #1036250 is mainly a logback problem, not a tomcat problem. I still would like > to hear

Bug#1031733: libcommons-fileupload-java: CVE-2023-24998

On Tue, Feb 21, 2023 at 09:48:35PM -0800, tony mancill wrote: > On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote: > > Source: libcommons-fileupload-java > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following

Bug#1030046: Document snakeyaml security expectations

On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote: > Hi, > > Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff: > > > > Could we please add a README.Debian.security with something like the > > following > > t

Bug#1030046: Document snakeyaml security expectations

Source: snakeyaml Version: 1.33-1 Severity: important Google's oss-fuzz found various cases where snakeyaml triggers an exception on malformed YAML input. These end up blindly being picked by various security web sites (since CVE IDs) were assigned. This is causing lots of overhead/annoyance for

Bug#989259: CVE-2021-28170

Source: jakarta-el-api Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2021-28170: https://github.com/eclipse-ee4j/el-ri/issues/155 https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ Cheers, Moritz __ This is the maintainer

Bug#988946: CVE-2020-10693

Package: libhibernate-validator-java Severity: important Tags: security X-Debbugs-Cc: Debian Security Team CVE-2020-10693: https://bugzilla.redhat.com/show_bug.cgi?id=1805501 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#988944: CVE-2020-7692

Source: google-oauth-client-java Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team CVE-2020-7692: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276 https://github.com/googleapis/google-oauth-java-client/issues/469

Bug#988728: CVE-2020-17523 CVE-2020-17510 CVE-2020-11989

Source: shiro Severity: important Tags: security X-Debbugs-Cc: Debian Security Team CVE-2020-17523: https://www.openwall.com/lists/oss-security/2021/02/01/3 https://issues.apache.org/jira/browse/SHIRO-797 CVE-2020-17510: https://www.openwall.com/lists/oss-security/2020/11/04/7

Bug#987284: CVE-2021-29428 CVE-2021-29429

Package: gradle Severity: important Tags: security X-Debbugs-Cc: Debian Security Team CVE-2021-29429 https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8 CVE-2021-29428 https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336 Cheers, Moritz

Bug#986805: CVE-2021-28657

Source: tika Severity: important Tags: security X-Debbugs-Cc: Debian Security Team https://www.openwall.com/lists/oss-security/2021/03/30/3 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#984666: CVE-2020-9489

Source: tika Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2020-9489: https://www.openwall.com/lists/oss-security/2020/04/24/1 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#980816: Clarify requirement for safe default typing?

Source: jackson-databind Severity: important X-Debbugs-Cc: car...@debian.org, a...@debian.org Starting with 2.10 (and thus in Bullseye) upstream makes safe default typing required, the absense is no longer considered a security issue, see e.g. here:

Bug#973381: CVE-2020-5421

Source: libspring-java Severity: important Tags: security X-Debbugs-Cc: Debian Security Team Please see https://tanzu.vmware.com/security/cve-2020-5421 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#972231: CVE-2020-15250

Package: junit4 Version: 4.12-8 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team Please see https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#972230: CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613

Package: jruby Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team jruby bundles various modules from the Ruby stdlib, which have been affected by security issues: CVE-2017-17742: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/

Bug#972034: Multiple security issues affecting intellij-community-idea?

Source: intellij-community-idea Severity: important Tags: security X-Debbugs-Cc: Debian Security Team There's multiple securities for JetBrains, but it's not really obvious whether they affect libraries src:intellij-community-idea or only parts not packaged, can you please check so that we can

Bug#970585: CVE-2020-25633

Source: resteasy Severity: important Tags: security X-Debbugs-Cc: Debian Security Team There isn't much information at this point, we got it from Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1879042 Cheers, Moritz __ This is the maintainer address of Debian's Java

Bug#970328: CVE-2020-10688

Source: resteasy Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2020-10688: https://bugzilla.redhat.com/show_bug.cgi?id=1814974 https://github.com/quarkusio/quarkus/issues/7248 https://issues.redhat.com/browse/RESTEASY-2519 Cheers, Moritz

Bug#969913: CVE-2020-10719

Source: undertow Severity: important Tags: security X-Debbugs-Cc: Debian Security Team It's scarce on details, but this was assigned CVE-2020-10719: https://bugzilla.redhat.com/show_bug.cgi?id=1828459 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#968753: CVE-2020-13933

Source: shiro Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2020-13933: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E Cheers, Moritz __ This is the maintainer

Bug#934319: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Source: icedtea-web Severity: grave Tags: security Please see https://www.openwall.com/lists/oss-security/2019/07/31/2 Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use

Re: java-common_0.58+deb9u1_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates

On Thu, Apr 18, 2019 at 07:58:05PM +0200, Emmanuel Bourg wrote: > Le 18/04/2019 à 19:32, Debian FTP Masters a écrit : > > > java-common (0.58+deb9u1) stretch; urgency=medium > > . > >* Remove default-java-plugin as the icedtea-web Xul plugin is going away > >* Also drop the Recommends:

Bug#926280: Don't bundle rubygems

Package: jruby Severity: important (This bug isn't really actionable yet, as it depends on #926278 getting fixed in src:ruby2.5) Please don't use the bundled rubygems any longer, but instead a copy shared with the C-based Ruby interpreter. Given that most of the security issues in the C-based

Bug#925987: CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325

Package: jruby Severity: grave Tags: security jruby embeds a version of rubygems, so it's affected by https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#925986: CVE-2018-1000073

Package: jruby Severity: grave Tags: security CVE-2018-173 is not fixed in the rubygems bundled in jruby, https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 The other 2018

Bug#921772: CVE-2018-1000652

Package: jabref Severity: grave Tags: security This was assigned CVE-2018-1000652: https://github.com/JabRef/jabref/issues/4229 https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it

On Thu, Nov 08, 2018 at 07:42:35PM +0100, Markus Koschany wrote: > Am 08.11.18 um 19:34 schrieb Moritz Mühlenhoff: > [...] > > So upon a closer look this seems to only affect the 8.x releases of the > > connector (Oracle only lists those affected release series which are > > affected and this only

Bug#911796: CVE-2018-14642

Source: undertow Severity: important Tags: security Limited details so far: https://bugzilla.redhat.com/show_bug.cgi?id=1628702 Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please

Bug#905215: CVE-2018-2941

On Sun, Oct 07, 2018 at 01:04:38PM +0200, Markus Koschany wrote: > Hi, > > On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff > wrote: > > Source: openjfx > > Severity: grave > > Tags: security > > > > http://www.oracle.com/technetwork/security-advi

Bug#906770: README.Debian could use some clarificatons

Source: jetty9 Severity: normal For my tests of the jetty9 security update for stretch (released as DSA 4278) I had looked into creating a test setup and the README.Debian confused me quite a bit (and external references usally refer to a totally different way to deploy Jetty using the upstream

Bug#905215: CVE-2018-2941

Source: openjfx Severity: grave Tags: security http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#897259: CVE-2018-1297

Source: jakarta-jmeter Severity: important Tags: security Please see http://www.openwall.com/lists/oss-security/2018/02/11/1 The changes at https://bz.apache.org/bugzilla/show_bug.cgi?id=62039 are mostly about adding SSL support and describing how to build a secure setup, so maybe a NEWS file is