Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils2-java - utilities for the Plexus framework libplexus-utils2-java-doc - utilities for the Plexus framework - documentation Changes: plexus-util

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb8u1) jes

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb

Accepted plexus-utils2 3.0.15-1+deb8u1 (source all) into oldstable->embargoed, oldstable

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils2-java - utilities for the Plexus framework libplexus-utils2-java-doc - utilities for the Plexus framework - documentation Changes: plexus-util

Accepted plexus-utils 1:1.5.15-4+deb8u1 (source all) into oldstable->embargoed, oldstable

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb8u1) jes

Accepted plexus-utils 1:1.5.15-4+deb9u1 (source all) into stable->embargoed, stable

Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libplexus-utils-java - utilities for the Plexus framework libplexus-utils-java-doc - API Documentation for plexus-utils Changes: plexus-utils (1:1.5.15-4+deb

Bug#891796: CVE-2017-18197

Source: libjgraphx-java Severity: normal Tags: security This was assigned CVE-2017-18197: https://github.com/jgraph/mxgraph/issues/124 Cheers, Moritz __ This is the maintainer address of Debian's Java team .

Bug#888547: CVE-2017-1000190

Source: simple-xml Severity: important Tags: security CVE-2017-1000190 has been assigned to this bug in simple-xml: https://github.com/ngallagher/simplexml/issues/18 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#825501: CVE-2016-4434

On Thu, Jan 11, 2018 at 02:03:23PM +0200, Faidon Liambotis wrote: > On Fri, May 27, 2016 at 11:58:33AM +0200, Moritz Muehlenhoff wrote: > > please see http://seclists.org/oss-sec/2016/q2/413 for details. > > That link says: > Versions Affected: > Apache Tika 0.10 to 1.1

Bug#885338: CVE-2017-12165

Source: undertow Severity: important Tags: security The only source here is a report in Red Hat Bugzilla, so might be worth contacting upstream for additional information: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 Cheers, Moritz __ This is the maintainer address of Debian's

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Tue, Oct 17, 2017 at 04:30:16PM +0200, Emmanuel Bourg wrote: > I ran the Oracle JavaFX demos with the new version and it worked fine > (except the media player but this isn't a regression, something is > probably misconfigured on my machine). > > Should I proceed with the upload, or do you

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Fri, Oct 06, 2017 at 04:27:02PM +0200, Emmanuel Bourg wrote: > Hi, > > Quick update on openjfx: the package is back on track, as of version > 8u141-b14-3 I eventually managed to get it to build on both amd64 and > i386 in unstable for the first time since January. If the tests go well > I'll

Bug#870860: openjfx: CVE-2017-10086 CVE-2017-10114

On Sat, Aug 05, 2017 at 09:58:53PM +0200, Salvatore Bonaccorso wrote: > Source: openjfx > Version: 8u131-b11-1 > Severity: grave > Tags: upstream security > > Hi, > > the following vulnerabilities were published for openjfx. > > CVE-2017-10086[0] and CVE-2017-10114[1]. > > Unfortunately it's

Bug#860566: fixed in batik 1.9-1

On Mon, Sep 04, 2017 at 06:19:28AM +, Christopher Hoskin wrote: > Changes: > batik (1.9-1) unstable; urgency=medium [..] >* New upstream (1.9) >+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream > claim > BATIK-1139 is fixed in 1.9 (Closes: #860566)

Bug#867493: CVE-2016-2141

Package: libjgroups-java Severity: important Tags: security This was assigned CVE-2016-2141: https://issues.jboss.org/browse/JGRP-2021?_sscc=t Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#864405: CVE-2016-2666

Source: undertow Severity: grave Tags: security There's no other reference that what Red Hat published here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666 Upstream needs to be contacted or the patch pulled from their update. Cheers, Moritz __ This is the maintainer address

Bug#863811: CVE-2017-5637

Source: zookeeper Severity: grave Tags: security Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693 Fix is referenced here: https://github.com/apache/zookeeper/pull/183 I'm also attaching the debdiff I'll be using for jessie for reference. Cheers, Moritz diff -Nru

Bug#853998: CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / CVE-2016-5519

Source: glassfish Severity: grave Tags: security So Oracle has these lovely, unspecified vulnerabilities reported against Glassfish, but it's my understanding that the Debian package only provides a minor subset what usually constitutes Java, so could you have a look, which of

Bug#851430: CVE-2016-9571

Source: resteasy Severity: important Tags: security There's not a great of information on this one other then this Red Hat bugtracker entry: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9571 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#851408: CVE-2016-6814

Source: groovy Severity: grave Tags: security Hi, please see http://seclists.org/oss-sec/2017/q1/92 Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use

Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)

severity 793770 grave thanks On Mon, Jul 27, 2015 at 11:51:53AM +0200, Luca Bruno wrote: > Source: netty-3.9 > Version: 3.9.0.Final-1 > Severity: important > Tags: security upstream patch > > LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty > that could lead to universal

Bug#837170: CVE-2016-6345 / CVE-2016-6346 / CVE-2016-6347 / CVE-2016-6348

Source: resteasy Severity: important Tags: security Red Hat reported a few vulnerabilities in RestEasy, they don't seem to be fixed in 3.0.19: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6345 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6346

Bug#832419: CVE-2016-3498

Source: openjfx Severity: grave Tags: security CVE-2016-3498 from http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA should affected openjfx. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#826653: CVE-2016-4437

Source: shiro Severity: grave Tags: security The following was reported on oss-security. shiro doesn't seem to have any rdeps in Debian. Cheers, Moritz Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.0.0-incubating - 1.2.4 Description: A default cipher

Bug#825501: CVE-2016-4434

Source: tika Severity: grave Tags: security Hi, please see http://seclists.org/oss-sec/2016/q2/413 for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use

Bug#823703: CVE-2016-3720

Source: jackson-dataformat-xml Severity: grave Tags: security jackson-dataformat-xml is susceptible to XXE attacks, this was assigned CVE-2016-3720. Fix is here: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 Cheers, Moritz __ This is

Bug#823622: CVE-2015-4901 CVE-2015-4906 CVE-2015-4908 CVE-2015-4916

Source: openjfx Severity: grave Tags: security The four security issues from October's Java CPU are still unfixed, right? http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#819259: Don't include in stretch

Source: tomcat7 Severity: serious stretch should only provide one version of Tomcat. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

Package: jenkins Severity: grave Tags: security Justification: user security hole Hi, please see https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#804522: jenkins: Unauthenticated remote code execution 0-day in Jenkins CLI

On Mon, Nov 09, 2015 at 09:25:20AM +0100, Emmanuel Bourg wrote: > Hi Moritz, > > If I'm not mistaken this vulnerability is actually linked to a dangerous > deserialization in commons-collections if the input isn't properly > sanitized. Indeed, I intended to file a separate bug for those (but I

Bug#803713: Keep out of testing

Source: elasticsearch Severity: serious See DSA 3389, upstream security policies are not compatible with being in stable. Cheers, Moritz __ This is the maintainer address of Debian's Java team . Please use

Bug#799280: Depends on gstreamer 0.10

Source: openjfx Severity: serious Hi, openjfx build-depends on gstreamer 0.10, which scheduled for removal from the archive. Please see https://lists.debian.org/debian-devel/2015/05/msg00335.html for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Re: Bug#793984: jessie-pu: package groovy/1.8.6-4

On Thu, Aug 20, 2015 at 08:26:05AM -0300, Miguel Landaeta wrote: > On Wed, Aug 19, 2015 at 07:05:26PM +0100, Adam D. Barratt wrote: > > > > I just realised that I somehow overlooked the fact that #793397 isn't > > fixed in unstable yet - what's the plan for that? > > I intend to fix this soon

Bug#796137: CVE-2015-3192

Source: libspring-java Severity: important Tags: security Please see https://pivotal.io/security/cve-2015-3192 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use

Bug#793911: groovy should not release with stretch

Package: groovy Severity: serious A separate source package groovy2 was uploaded, so reverse dependencies need to be migrated to that one and groovy removed. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#793492: Should this package be removed?

Package: azureus Severity: serious The version of azureus currently in the archive has been uploaded in 2009 and it many upstream releases behind. It has been dropped from testing back in 2013 and the last upload was in 2011. Since there's apparently no current maintenance interest in

Bug#792857: CVE-2014-3576

Source: activemq Severity: grave Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3576 is scarce on details, but per the fixed upstream release probably affects oldstable and stable. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#780383: libopensaml2-java: CVE-2015-1796

On Sat, May 09, 2015 at 08:35:13AM -0700, tony mancill wrote: On 05/06/2015 10:54 PM, tony mancill wrote: An update on this... I'm in the midst of packaging 2.6.5, but it in turn requires an update to libxmltooling-java to version 1.4.4, which I am working on now. In an email exchange

Bug#787316: CVE-2015-1833

Source: jackrabbit Severity: grave Tags: security Hi, please see https://issues.apache.org/jira/browse/JCR-3883 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use

Bug#781223: jenkins: Multiple security issues

Package: jenkins Severity: grave Tags: security Justification: user security hole Hi, please see https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23: SECURITY-171 is CVE-2015-1812 SECURITY-177 is CVE-2015-1813 SECURITY-180 is CVE-2015-1814 and

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote: On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote: Hi, On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: Is there an example available

Bug#780102: libjbcrypt-java: CVE-2015-0886

Package: libjbcrypt-java Severity: grave Tags: security Justification: user security hole Hi, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886 http://www.mindrot.org/projects/jBCrypt/news/rel04.html https://bugzilla.mindrot.org/show_bug.cgi?id=2097 Cheers, Moritz

Bug#779621: jakarta-taglibs-standard: CVE-2015-0254

Package: jakarta-taglibs-standard Severity: important Tags: security Please see http://www.securityfocus.com/archive/1/534772 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use

Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558

severity 762690 important thx On Sun, Nov 02, 2014 at 11:38:30PM +0100, Emmanuel Bourg wrote: libhibernate-validator-java is only used as a build dependency of libhibernate3-java. No package depends on it at runtime, so the risk of being affected by this vulnerability is rather low, if not

Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600

On Fri, Feb 06, 2015 at 01:56:35PM +0100, Emmanuel Bourg wrote: For CVE-2014-3600: https://github.com/apache/activemq/commit/b9696ac8 https://issues.apache.org/jira/browse/AMQ-5333 Could you please upload a fixed package for CVE-2014-3612 and CVE-2014-3600? Cheers, Moritz __ This is

Bug#777741: wss4j: CVE-2015-0226 CVE-2015-0227

Package: wss4j Severity: grave Tags: security Justification: user security hole Hi, please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0226 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0227 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#777196: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600

Package: activemq Severity: important Tags: security Hi, please see http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt (but the admin console isn't enabled, so this should be moot? (702670))

Bug#775171: libapache-poi-java: CVE-2014-9527

Package: libapache-poi-java Severity: important Tags: security Justification: user security hole This was assigned CVE-2014-9527: https://issues.apache.org/bugzilla/show_bug.cgi?id=57272 Could you please make a targeted fix for jessie? Cheers, Moritz __ This is the maintainer address

Bug#774050: CVE-2014-9390

Source: jgit Severity: important Tags: security jgit is also affected by the recent git vulnerability: http://openwall.com/lists/oss-security/2014/12/18/21 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

Package: async-http-client Severity: important Tags: security Hi, please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 : https://github.com/AsyncHttpClient/async-http-client/issues/352 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :

Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote: Hi Moritz, Thank you for the report Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 : https://github.com/AsyncHttpClient/async-http-client/issues/352 https

Bug#760733: libspring-java: CVE-2014-0225

On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote: I've been investigating this issue as well. I contacted an upstream developer and it seems the actual fix for this issue is unknown. The version 3.2.0 was just reported as not vulnerable by the security researched who discovered

Bug#763608: CVE-2014-3607

Source: libvt-ldap-java Severity: grave Tags: security This has been assigned CVE-2014-3607: https://code.google.com/p/vt-middleware/issues/detail?id=226 http://shibboleth.net/community/advisories/secadv_20140919.txt Cheers, Moritz __ This is the maintainer address of Debian's Java

Bug#758516: Struts 1.2 should not be shipped with jessie

On Tue, Sep 16, 2014 at 12:12:03AM +0200, Emmanuel Bourg wrote: Le 15/09/2014 23:56, Moritz Mühlenhoff a écrit : Then it should be easy to remove? Actually it's easier to keep it, since a removal induces more work to update the reverse dependencies. Well, but if we keep old,

Bug#759526: not-yet-commons-ssl: CVE-2014-3604

Package: not-yet-commons-ssl Severity: grave Tags: security Justification: user security hole This was assigned CVE-2014-3604: http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html Cheers, Moritz __ This is the maintainer address of Debian's

Bug#759470: libopensaml2-java: CVE-2014-3603

Package: libopensaml2-java Severity: grave Tags: security Justification: user security hole Please see http://shibboleth.net/community/advisories/secadv_20140813.txt Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#758516: Struts 1.2 should not be shipped with jessie

Package: libstruts1.2-java Severity: serious Struts 1.x is EOLed upstream, it should not be included in jessie: http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E Cheers, Moritz __ This is the maintainer address of Debian's Java

Bug#753470: libspring-java: CVE-2014-0225

Package: libspring-java Severity: grave Tags: security Justification: user security hole Hi, please see http://www.gopivotal.com/security/cve-2014-0225 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#741604: libspring-java: Multiple security issues

Package: libspring-java Severity: grave Tags: security Justification: user security hole http://www.gopivotal.com/security/cve-2014-0054 http://www.gopivotal.com/security/cve-2014-1904 I'm not sure whether these are worth a DSA? Cheers, Moritz __ This is the maintainer address of

Bug#740586: mojarra: CVE-2013-5855

Package: mojarra Severity: grave Tags: security Justification: user security hole Hi, this was assigned CVE-2013-5855: https://java.net/jira/browse/JAVASERVERFACES-3150 Fix: https://java.net/projects/mojarra/sources/svn/revision/12793 Cheers, Moritz __ This is the maintainer address of

Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages

On Tue, Jan 28, 2014 at 07:45:41AM +0100, Moritz Muehlenhoff wrote: On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote: In didn't some digging in the reverse deps and found the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043 In fact, adding

Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages

On Fri, Jan 24, 2014 at 10:49:06AM +0100, Moritz Muehlenhoff wrote: In didn't some digging in the reverse deps and found the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688043 In fact, adding that patch to the version of maven-debian-helper in Wheezy and rebuilding

Re: freehep-graphicsio-svg: Recompilation of the package breaks other packages

On Thu, Jan 23, 2014 at 04:13:19PM +0100, Moritz Muehlenhoff wrote: Package: freehep-graphicsio-svg Version: 2.1.1-3 Severity: serious I ran into the following bug with stable, but the version is the same as in unstable: If I compile geogebra with the binary deb package as shipped

Bug#736426: freehep-graphicsio-svg: Recompilation of the package breaks other packages

Package: freehep-graphicsio-svg Version: 2.1.1-3 Severity: serious I ran into the following bug with stable, but the version is the same as in unstable: If I compile geogebra with the binary deb package as shipped in stable it compiles fine. However, if I rebuild freehep-graphicsio-svg in

Bug#735420: libspring-java: CVE-2013-6429 CVE-2013-6430

Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#733938: libxml-security-java: CVE-2013-4517

Package: libxml-security-java Severity: grave Tags: security Justification: user security hole Please see http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc Please prepare updated oldstable-security/stable-securitypackages for this issue and CVE-2013-2172 (as fixed in 1.5.5-2) and

Bug#732708: jenkins: CVE-2013-5573

Package: jenkins Severity: important Tags: security Please see http://seclists.org/fulldisclosure/2013/Dec/159 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for

Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

On Mon, Dec 02, 2013 at 09:56:04AM +0100, Moritz Muehlenhoff wrote: CVE-2013-6407: https://issues.apache.org/jira/browse/SOLR-3895 An additional CVE ID has been assigned to this issue: CVE-2012-6612 Cheers, Moritz __ This is the maintainer address of Debian's Java team http

Bug#731113: lucene-solr: CVE-2013-6397 CVE-2013-6407 CVE-2013-6408

Package: lucene-solr Severity: grave Tags: security Justification: user security hole CVE-2013-6397: https://issues.apache.org/jira/browse/SOLR-4882 CVE-2013-6407: https://issues.apache.org/jira/browse/SOLR-3895 CVE-2013-6408: https://issues.apache.org/jira/browse/SOLR-4881 Cheers,

Bug#730457: jenkins: CVE-2013-6372 CVE-2013-6373 CVE-2013-6374

Package: jenkins Severity: grave Tags: security Justification: user security hole Please see https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20 for references and patches. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#726601: libcommons-fileupload-java: CVE-2013-218

Package: libcommons-fileupload-java Severity: grave Tags: security Justification: user security hole Red Hat fixed a security issue Commons FileUpload: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#722290: Please migrate from ffmpeg to libav-tools

Package: jsymphonic Severity: normal User: pkg-multimedia-maintain...@lists.alioth.debian.org Usertags: ffmpeg-removal The ffmpeg binary package is no longer provided from libav. Please port your package to the avconv tools from libav-tools. Cheers, Moritz -- System Information: Debian

Bug#720902: libspring-java: CVE-2013-4152

Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152 for details. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#717031: libjgroups-java: CVE-2013-4112

Package: libjgroups-java Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4112 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.

Bug#716937: openjpa: CVE-2013-1768

Package: openjpa Severity: grave Tags: security Justification: user security hole Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#707704: tomcat7: CVE-2013-2071

Package: tomcat7 Severity: important Tags: security Three security issues were reported in tomcat today: http://tomcat.apache.org/security-7.html CVE-2013-2067 and CVE-2012-3544 were made public today, but already fixed in past releases. Hence, in comparison to stable/oldstable sid is already

Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546

On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote: On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote: Package: tomcat6 Severity: grave Tags: security Justification: user security hole More Tomcat security issues have been disclosed: http://tomcat.apache.org/security-6

Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546

Package: tomcat6 Severity: grave Tags: security Justification: user security hole More Tomcat security issues have been disclosed: http://tomcat.apache.org/security-6.html The page contains links to the upstream fixes. BTW, is there a specific reason why both tomcat6 and tomcat7 are present in

Bug#695251: tomcat7: CVE-2012-4431 CVE-2012-4534 CVE-2012-3546

Package: tomcat7 Severity: grave Tags: security Justification: user security hole New security issues in Tomcat have been disclosed: http://tomcat.apache.org/security-7.html The page contains links to upstream fixes. Cheers, Moritz __ This is the maintainer address of Debian's Java

Bug#694694: jruby: CVE-2012-5370

Package: jruby Severity: grave Tags: security Justification: user security hole Hi, please see the Red Hat bug for details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370 Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#692650: axis: CVE-2012-5784

Package: axis Severity: grave Tags: security Justification: user security hole CVE-2012-5784 has been assigned to Axis being affected by the issues described in this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf (See Section 8.1) Cheers, Moritz __ This is the maintainer address

Bug#692439: tomcat6: CVE-2012-2733 CVE-2012-3439

Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html Since Wheezy is frozen, please apply isolated security fixes and do not update to a new upstream release. BTW, is it really necessary to have both tomcat6 and

Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439

Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz __ This is the maintainer

Bug#692442: CVE-2012-5783: Insecure certificate validation

Package: commons-httpclient Severity: important Tags: security Please see Section 7.5 of this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf This has been assigned CVE-2012-5783. I'm not sure if we can backport more correct certificate validation to 3.x, but independent of that it might

Bug#688298: jenkins: Multiple security issues

Package: jenkins Severity: grave Tags: security Justification: user security hole Please see http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE IDs have been assigned: http://seclists.org/oss-sec/2012/q3/521 Remember Debian is frozen, so please upload only

Bug#686867: jruby: CVE-2011-4838

On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote: On 09/20/2012 07:05 AM, Hideki Yamane wrote: It's my mistake that using static version for symlink... sorry for the mess. And a bit confusion for versioning, so prepared fix as below. If it seems to be okay, I'll upload to

Bug#686867: jruby: CVE-2011-4838

Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838

Bug#677194: CVE-2012-2672

Package: mojarra Severity: grave Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2672 I'm not sure if Debian is affected, please verify. Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#674448: CVE-2012-2098

Package: libcommons-compress-java Version: 1.2-1 Severity: grave Tags: security Please see https://commons.apache.org/compress/security.html Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix it through a point update for Squeeze 6.0.6. Cheers, Moritz __ This is the

Bug#670901: Spring: Multiple security issues

Package: libspring-security-2.0-java Severity: grave Tags: security Please see http://www.securityfocus.com/archive/1/519593/30/0/threaded http://www.springsource.com/security/cve-2011-2731 http://www.springsource.com/security/cve-2011-2732 http://www.springsource.com/security/cve-2011-2894

Bug#667601: Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS

Package: commons-beanutils Version: 1.8.3-2 Severity: serious Tags: patch Similar story to 667000, 667011 and 667016 (caused by new Maven helper): Recompiling commons-beanutils in sid makes libcommons-digester-java FTBFS. Patch attached. Cheers, Moritz UCS Bug #26186 diff -aur

Bug#657870: Multiple issues in Struts

There was another report for a Struts security issue: CVE-2012-1592: http://seclists.org/bugtraq/2012/Mar/110 Can you please contact upstream, whether this needs to be fixed in our Struts 1.2? Cheers, Moritz __ This is the maintainer address of Debian's Java team

Bug#667000: Rebuilding objenesis from source makes mockito FTBFS

Package: objenesis Version: 1.2+full-1 Severity: serious I'm filing this against objenesis, since this appears to be where the error is coming from. mockito builds fine if I use the pre-built deb from the archive. However, when recompiling objenesis in sid and installing the resulting binaries,

Bug#667016: Rebuilding jtidy in sid makes lucene FTBFS

Package: jtidy Version: 7+svn20110807-3 Severity: serious This is a similar bug to 667000 and 667011: Rebuilding jtidy in sid makes lucene2 fail to build from source: [..] common.compile-core: [mkdir] Created dir:

Bug#663548: stapler: FTBFS: IO error: opening debian/libstapler-java/debian/libstapler-java//usr/share/java/stapler.jar for read : No such file or directory

Package: stapler Version: 1.174-1 Severity: serious Your package fails to build from source: dh_bugfiles -plibstapler-java dh_install -plibstapler-java dh_link -plibstapler-java dh_buildinfo -plibstapler-java dh_installmime -plibstapler-java dh_installgsettings -plibstapler-java

Bug#663569: libspring-webflow-2.0-java: FTBFS: libspring-webflow-2.0-java-2.0.9.RELEASE/debian/build.xml:46: Compile failed; see the compiler error output for details.

Package: libspring-webflow-2.0-java Version: 2.0.9.RELEASE-3 Severity: serious Your package fails to build from source: jar-spring-js: [jar] Building jar: /home/jmm/libspring-webflow-2.0-java-2.0.9.RELEASE/dist/spring-js-2.0.9.RELEASE.jar compile-spring-webflow: [javac] Compiling 311

Bug#663106: libcommons-discovery-java: FTBFS: No jar in libcommons-discovery-java matching usr/share/java/commons-discovery.jar.

Package: libcommons-discovery-java Version: 0.5-2 Severity: serious Your package fails to build from source: [INFO] BUILD SUCCESSFUL [INFO] [INFO] Total time: 2 seconds [INFO] Finished at: Wed Mar 07 12:08:03 CET 2012

Bug#662807: junit4: FTBFS

Package: junit4 Version: 4.8.2-2 Severity: serious Your package fails to build from source: compile: [mkdir] Created dir: /home/jmm/junit4-4.8.2/build/generated-sources [javac] /usr/share/maven-ant-helper/maven-build.xml:337: warning: 'includeantruntime' was not set, defaulting to

Bug#662811: jmock2: FTBFS

Package: jmock2 Version: 2.5.1+dfsg-1 Severity: serious Your package fails to build from source: compile: [mkdir] Created dir: /home/jmm/jmock2-2.5.1+dfsg/build/classes [javac] /home/jmm/jmock2-2.5.1+dfsg/build.xml:61: warning: 'includeantruntime' was not set, defaulting to

Bug#661691: FTBFS

Package: jenkins-crypto-util Version: 1.1-1 Severity: serious Your package fails to build from source: [INFO] Compiling 2 source files to /home/jmm/jenkins-crypto-util-1.1/target/classes [INFO] [resources:testResources {execution: default-testResources}] [WARNING] Using platform encoding

  1   2   >