GNU bug report logs

#47342 java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #8 received at 47342@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 14:38:51 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:38:51 2021
Received: from localhost ([127.0.0.1]:60924 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOiBG-0006r8-SY
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:51 -0400
Received: from mail.zaclys.net ([178.33.93.72]:53373)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOiBF-0006qp-C4
 for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:49 -0400
Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEcgwf035313
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Tue, 23 Mar 2021 15:38:43 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEcgwf035313
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616510323;
 bh=XjDRnUXGtGDgEasp71GKqYR1EiktQYHvwu7tj8HzZOY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=ssKidgSTvIhNGbVvYvcU+yeWeS8tqMvantPEEXTct3bKL6WXXScR8d9rWuXZYK1x8
 Bf9KnOLsOAX1o0w32DLgNiBbc/5PRBVJ1mFBXY0AYeoBzvkZx8ncAA8ts6Jb3CY58z
 y9Ivfe6HnlpqmWqmWr0tQ9Idbk5mpLlOqcrDhB4s=
From: Léo Le Bouter <lle-bout@zaclys.net>
To: 47342@debbugs.gnu.org
Subject: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].
Date: Tue, 23 Mar 2021 15:38:40 +0100
Message-Id: <20210323143840.22600-2-lle-bout@zaclys.net>
X-Mailer: git-send-email 2.31.0
In-Reply-To: <20210323143840.22600-1-lle-bout@zaclys.net>
References: <20210323143840.22600-1-lle-bout@zaclys.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47342
Cc: Léo Le Bouter <lle-bout@zaclys.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.

* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
former made by upstream.
---
 gnu/packages/xml.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 96287b3174..fdb8bff601 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2217,7 +2217,7 @@ outputting XML data from Java code.")
 (define-public java-xstream
   (package
     (name "java-xstream")
-    (version "1.4.15")
+    (version "1.4.16")
     (source
      (origin
        (method git-fetch)
@@ -2229,7 +2229,7 @@ outputting XML data from Java code.")
                                   version)))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))
+        (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "xstream.jar"
@@ -2244,7 +2244,7 @@ outputting XML data from Java code.")
        ("java-joda-time" ,java-joda-time)
        ("java-jettison" ,java-jettison)
        ("java-xom" ,java-xom)
-       ("java-xpp3" ,java-xpp3)
+       ("java-mxparser" ,java-mxparser)
        ("java-dom4j" ,java-dom4j)
        ("java-stax2-api" ,java-stax2-api)
        ("java-woodstox-core" ,java-woodstox-core)
-- 
2.31.0

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:36:53 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.