GNU bug report logs

#47342 java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #22 received at 47342@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 21:18:45 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 17:18:45 2021
Received: from localhost ([127.0.0.1]:33229 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOoQH-0001yb-99
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:45 -0400
Received: from lepiller.eu ([89.234.186.109]:41876)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1lOoQF-0001yS-Gq
 for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:44 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 122eb924;
 Tue, 23 Mar 2021 21:18:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:to:cc:from:message-id; s=
 dkim; bh=YWS+JJQJXveSqtNUGkPmECZ3KkANObQ0kGNQXJVwLXw=; b=ldrgkoV
 PDela2BYl4+YjC9hvUlODvHN7Xo03WdufEL+V+igis5+o09nyiyQrwTmMCEzILTH
 jNEmHZtw7yAK2IqGAl0t9BVYbVo7ObBBSYfc4HbytvvEgJV126I3/MieA/tOv0Fw
 tFk5+Pc3NSaglDwX1m89TuURefTSci1XOc0Uv3O+gvelR0OMAzJJgJMKyEfKW2LH
 iqI13is3NIDGveCBYHAwEUqaVX2vABuIeWbTt//nwAUmRhrA1GMAZzjc3qJDAHcu
 2yzcvnfBGphZzWuBrpREexIDZH5Yg34rso3cAa25n65MzDRWPt7AQep2Fk9x7rUD
 duqrT/LfV7tM0yw==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 99364183
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Tue, 23 Mar 2021 21:18:41 +0000 (UTC)
Date: Tue, 23 Mar 2021 13:42:48 -0400
User-Agent: K-9 Mail for Android
In-Reply-To: <YFomec62TsA1v9tT@jasmine.lan>
References: <20210323143840.22600-1-lle-bout@zaclys.net>
 <20210323143840.22600-2-lle-bout@zaclys.net> <YFomec62TsA1v9tT@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4"
Content-Transfer-Encoding: 7bit
Subject: Re: bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16
 [security fixes].
To: Leo Famulari <leo@famulari.name>
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <E106A45C-5393-4692-80DB-348BF9FC0DBF@lepiller.eu>
X-Spam-Score: 1.1 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  So, mxparser seems to be pretty easy to package,
 but it depends
 on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana
 University, but their website has recently been "deprecated" [...] 
 Content analysis details:   (1.1 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
 1.1 DATE_IN_PAST_03_06     Date: is 3 to 6 hours before Received: date
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
X-Debbugs-Envelope-To: 47342
Cc: Léo Le Bouter <lle-bout@zaclys.net>,
 47342@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.1 (/)

[Message part 1 (text/plain, inline)]
So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.

This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?

I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.

Once we have that information, I can take care of the xstream update.

Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports
>for GNU Guix wrote:
>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>> 
>> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a
>fork of the
>> former made by upstream.
>
>Thanks for the patch!
>
>Pinging Julien...

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:10:41 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.