GNU bug report logs

#47342 java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 14:33:36 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:33:36 2021
Received: from localhost ([127.0.0.1]:60917 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOi6C-0006jA-17
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:36 -0400
Received: from lists.gnu.org ([209.51.188.17]:55080)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOi68-0006iy-E8
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47924)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOi68-0006xo-3N
 for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:32 -0400
Received: from mail.zaclys.net ([178.33.93.72]:51161)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOi65-0002IX-Dv
 for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:31 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEXQPf034955
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Tue, 23 Mar 2021 15:33:27 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEXQPf034955
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616510007;
 bh=/GoS773fvVeOaR4gjsjKcQcdWz6NxlsT3IPCVgQUBXE=;
 h=Subject:From:To:Date:From;
 b=cy///fg06GDr2Zla0WFun9oSQeoQrNXMEYU4UuUWfvFTdwNNC+nExMaU5QSUWibrK
 OwnK0s/nmW7y4rqEkKNiBqpB32v+CPQSm+TybxVFrNJAotbLFahZuI1j/rWL6ew65f
 WHl3Q6hOrISveG0eH4c36B2AoZtfI91FYp7pXcaE=
Message-ID: <4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net>
Subject: java-xstream@1.4.15 is vulnerable to CVE-2021-21341,
 CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345,
 CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349,
 CVE-2021-21350 and CVE-2021-21351
From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Tue, 23 Mar 2021 15:33:26 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-hscTnfjBcH+mdd0Wd+Sd"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Upstream has made a release: 1.4.16 - which fixes all the
 issues, following is an unfinished patchset that fixes the issues,
 java- mxparser
 package does not build and help from some more experienced J [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:36:33 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.