From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:33:36 2021 Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 14:33:36 +0000 Received: from localhost ([127.0.0.1]:60917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOi6C-0006jA-17 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:36 -0400 Received: from lists.gnu.org ([209.51.188.17]:55080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOi68-0006iy-E8 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47924) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOi68-0006xo-3N for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:32 -0400 Received: from mail.zaclys.net ([178.33.93.72]:51161) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOi65-0002IX-Dv for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:31 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEXQPf034955 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 23 Mar 2021 15:33:27 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEXQPf034955 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616510007; bh=/GoS773fvVeOaR4gjsjKcQcdWz6NxlsT3IPCVgQUBXE=; h=Subject:From:To:Date:From; b=cy///fg06GDr2Zla0WFun9oSQeoQrNXMEYU4UuUWfvFTdwNNC+nExMaU5QSUWibrK OwnK0s/nmW7y4rqEkKNiBqpB32v+CPQSm+TybxVFrNJAotbLFahZuI1j/rWL6ew65f WHl3Q6hOrISveG0eH4c36B2AoZtfI91FYp7pXcaE= Message-ID: <4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net> Subject: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Tue, 23 Mar 2021 15:33:26 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-hscTnfjBcH+mdd0Wd+Sd" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Upstream has made a release: 1.4.16 - which fixes all the issues, following is an unfinished patchset that fixes the issues, java- mxparser package does not build and help from some more experienced J [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-hscTnfjBcH+mdd0Wd+Sd Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Upstream has made a release: 1.4.16 - which fixes all the issues, following is an unfinished patchset that fixes the issues, java- mxparser package does not build and help from some more experienced Java packagers is welcome to fix and push this patchset. --=-hscTnfjBcH+mdd0Wd+Sd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBZ/DYACgkQRaix6GvN EKajtw//bUSSuk7gRJEqw37hETabwiag6UIltEmX+Dwid9H+C/7GQPEh2zZMmCU5 wmrwgd2Fnlb/HyKTPqv+9QNkyI/lUdYW8TTOxXnHtczbBlBgBnTBygG4TfRp/a3O bdgWEEM/sRes3vofrRL6NjTRz274oe6WB+hOQolJknCDFdUo9DSlnbiOAMK/DCDy UraHF5rhLSbifnrKa9AkBeHhiUZ/BuziGTEUM/whEU008vvvQmS6na14tEnJaD43 0d8r0yTcRU60TZtIMpxp/uL2Op7nDCCCLMn6Up2YmYyPnEklRl/sTcXO8vpaoWJv C3dSZ4bvDTNaUevfdhdLvKOinvM6WWwSjwMRhtjdf7NtXY1OE/hB+YpUTDNHGewi +2ciFH9Xk+E0yYo2SdiLvdJoU1Vx2Tg993WyhDWKy/C9uoaeIWrinSw9cV6DXEDP 2SW0MWQRrFK9ChAwBh7Wdt+JRenEUHVqbcM20QzgF+sRF1+rNttdRi8cl5JIr52D KUmWyU1ySrEyZdnW6VR7qUhoXVB+RBMWXchwFxLyas3FM4gIvR4OpY8CtvDSLGU+ HGvoyfr5BrBY0ziXf5aFdKTO6aLUXRqiuBtnINPtQdvkzlWdDZbLkCxEwnr7zNPy EJQT/3/K4rjg80bkKO20xq8cFhOP7aoG3r8vsKY/XzFi/sM44e8= =KXxi -----END PGP SIGNATURE----- --=-hscTnfjBcH+mdd0Wd+Sd-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:38:51 2021 Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 14:38:51 +0000 Received: from localhost ([127.0.0.1]:60924 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOiBG-0006r8-SY for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:51 -0400 Received: from mail.zaclys.net ([178.33.93.72]:53373) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOiBF-0006qp-C4 for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:49 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEcgwf035313 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 23 Mar 2021 15:38:43 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEcgwf035313 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616510323; bh=XjDRnUXGtGDgEasp71GKqYR1EiktQYHvwu7tj8HzZOY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ssKidgSTvIhNGbVvYvcU+yeWeS8tqMvantPEEXTct3bKL6WXXScR8d9rWuXZYK1x8 Bf9KnOLsOAX1o0w32DLgNiBbc/5PRBVJ1mFBXY0AYeoBzvkZx8ncAA8ts6Jb3CY58z y9Ivfe6HnlpqmWqmWr0tQ9Idbk5mpLlOqcrDhB4s= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47342@debbugs.gnu.org Subject: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes]. Date: Tue, 23 Mar 2021 15:38:40 +0100 Message-Id: <20210323143840.22600-2-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210323143840.22600-1-lle-bout@zaclys.net> References: <20210323143840.22600-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47342 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351. * gnu/packages/xml.scm (java-xstream): Update to 1.4.16. [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the former made by upstream. --- gnu/packages/xml.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 96287b3174..fdb8bff601 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -2217,7 +2217,7 @@ outputting XML data from Java code.") (define-public java-xstream (package (name "java-xstream") - (version "1.4.15") + (version "1.4.16") (source (origin (method git-fetch) @@ -2229,7 +2229,7 @@ outputting XML data from Java code.") version))))) (file-name (git-file-name name version)) (sha256 - (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9")))) + (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755")))) (build-system ant-build-system) (arguments `(#:jar-name "xstream.jar" @@ -2244,7 +2244,7 @@ outputting XML data from Java code.") ("java-joda-time" ,java-joda-time) ("java-jettison" ,java-jettison) ("java-xom" ,java-xom) - ("java-xpp3" ,java-xpp3) + ("java-mxparser" ,java-mxparser) ("java-dom4j" ,java-dom4j) ("java-stax2-api" ,java-stax2-api) ("java-woodstox-core" ,java-woodstox-core) -- 2.31.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:38:51 2021 Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 14:38:51 +0000 Received: from localhost ([127.0.0.1]:60926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOiBH-0006rA-2l for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:51 -0400 Received: from mail.zaclys.net ([178.33.93.72]:55567) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOiBE-0006qn-VF for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 10:38:50 -0400 Received: from localhost.localdomain (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEcgwe035313 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 23 Mar 2021 15:38:42 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEcgwe035313 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616510322; bh=ySafThOjwYLdy7Ejp0M1/4AkDb3TtdnY86IpX/KdPVk=; h=From:To:Cc:Subject:Date:From; b=Lv1BTGVvOuojXy4y1Q5cKSQA7WfJ7Y4i24r/tY/cd3K2FTwhK4MxjHWn8sYCJ67hq ciQiUpwNfd1hLZLUpdgxlAXRzcdW5nZuue49Gj85LjsaPy+Nsfl3uUkMPyCYci9Vxt KTnErUM2O8IJLYpH4zronH9tA2Ov7WPfzaYctUHM= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47342@debbugs.gnu.org Subject: [PATCH 1/2] gnu: Add java-mxparser. Date: Tue, 23 Mar 2021 15:38:39 +0100 Message-Id: <20210323143840.22600-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47342 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/xml.scm (java-mxparser): New variable. --- gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 2a72fc6ad2..96287b3174 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -2256,6 +2256,34 @@ outputting XML data from Java code.") and back again.") (license license:bsd-3))) +(define-public java-mxparser + (package + (name "java-mxparser") + (version "1.2.1") + (source (origin + (method url-fetch) + (uri + (string-append + "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/" + version "/mxparser-" version "-sources.jar")) + (sha256 + (base32 + "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl")))) + (build-system ant-build-system) + (home-page "https://github.com/x-stream/mxparser") + (synopsis "Streaming pull XML parser forked from @code{java-xpp3}") + (description "Xml Pull Parser (in short XPP) is a streaming pull XML +parser and should be used when there is a need to process quickly and +efficiently all input elements (for example in SOAP processors). This +package is a stable XmlPull parsing engine that is based on ideas from XPP +and in particular XPP2 but completely revised and rewritten to take the best +advantage of JIT JVMs. + +MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged +changes of the Plexus fork. It is an implementation of the XMLPULL V1 API +(parser only).") + (license (license:non-copyleft "file://LICENSE.txt")))) + (define-public xmlrpc-c (package (name "xmlrpc-c") -- 2.31.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 11:09:17 2021 Received: (at control) by debbugs.gnu.org; 23 Mar 2021 15:09:17 +0000 Received: from localhost ([127.0.0.1]:60973 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOiej-0007fN-55 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 11:09:17 -0400 Received: from mail.zaclys.net ([178.33.93.72]:37367) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOieg-0007f5-D3 for control@debbugs.gnu.org; Tue, 23 Mar 2021 11:09:16 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NF97NO038388 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 23 Mar 2021 16:09:07 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NF97NO038388 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616512147; bh=faF4ONupnhvzbbFvw+Sx6wl8ott1PG/fvkfdBqECgyk=; h=Subject:From:To:Date:From; b=r1s91I3hEumaxhxCl3syyYfySxWXj8eGctreCReEyQnaIW/UNGBUm9bUQqiElOdg8 e0NjCYRElhOmpx0BkcfDoPK2x/2IfYy30wZCW0RchnagbLdw3X672RNYddrqhsmYJR SQ16mi1FfZoHBLE2bMfvJCwBw+sLliL7Y3i5OwZc= Message-ID: <328943c9d39ff41c168bf290955a321c4e306493.camel@zaclys.net> Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Tue, 23 Mar 2021 16:09:07 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-lwUTIxU/EMF5EcYaK0+i" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 3.0 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47342 + security quit Content analysis details: (3.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty 1.0 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47342 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 BLANK_SUBJECT Subject is present but empty 1.0 BODY_EMPTY No body text in message --=-lwUTIxU/EMF5EcYaK0+i Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47342 + security quit --=-lwUTIxU/EMF5EcYaK0+i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaBJMACgkQRaix6GvN EKZ0MBAAu/oZ8JHWxTy9NDcsKSj1aiJeAMrM7nTPO4sWzcCCu6fy0d/p71h6xDpO 8tSXvt8yXqdRXWDaTOYnWDeYHm1VyxG8jztB3p190pZ7CwNSe2sI9lbspAZTbbV5 1hY6PM1K6lszQgrM1q4C2KKxImKbmoDGvzRnplZbmN5L3tNxjUcpG24KYAs484Ws lNR6ShBRIRfd80srMstQRbyAw5kxDUB59i8sMqCHrbLd4emnwjVw32w1i5zwRLCJ m3DIBnnUoHct7PMml2m1rp8Rzxbow+SNUWqOuloGabnUaWq3jSKYXQsYE4DpbRkl ODzb4B+x8+xiB0P4QEhfAeH7M4si5N0RrII2yJza1bC1kLYHQl6BTKQ6P2i7Ek94 c99Gd90QYZAg3QmDKaQYFQ1w7nJmLyM1PB9TWXxR84l0NxEKLZinJWp9sAMhoCG8 LEqUbotuVM/2yPKfGDyhZ6jRIrtfaQ9qEVgdbUs5mDYQM0ShPaHEapLEvpiRQjKQ l1HSYueVc7qxqw9DdjPiWjje63tq0akjhnlKlxjrL84RrvyhjXQVBZFRvUnjS08o COInTBJvQ5WVVKk28RK/wifNZnT6AiHfaNScNi4RfHRpnxyNv0fWom/dwFgM4XpD Y4zNh0bsRN5eqSjqsaliEVeNsfxtLx+CZzkpxKACdSKbgnwKS0Y= =Z5lD -----END PGP SIGNATURE----- --=-lwUTIxU/EMF5EcYaK0+i-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 13:33:57 2021 Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 17:33:57 +0000 Received: from localhost ([127.0.0.1]:32917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOkui-0004vz-UL for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:33:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:43472) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOkuc-0004vb-Gf for submit@debbugs.gnu.org; Tue, 23 Mar 2021 13:33:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40718) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOkuc-0008BB-AI for bug-guix@gnu.org; Tue, 23 Mar 2021 13:33:50 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:49589) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOkuZ-0007zP-G3 for bug-guix@gnu.org; Tue, 23 Mar 2021 13:33:48 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id EC9CB5C0076; Tue, 23 Mar 2021 13:33:46 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 23 Mar 2021 13:33:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=FIg054yhZQ+S5BCK7437Didtw1baG14yUc0syj10UW4=; b=cgJrdF0T1ViT pPICMdS252hos7HETGmkieOhitRPSqgnlvtaRxE+i78wE4+hzxW0XBSRw2Sx9us8 wv5BPcrNb0amyWxi2thZ2vj+Capya6gXG9Q4r47QJakuQn7X3/DgOWjTkh9Wi0q4 OlpoVZFwryrrzZRywKD8faDfK8DrIQA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=FIg054yhZQ+S5BCK7437Didtw1baG14yUc0syj10U W4=; b=NpeqyzrJ5BrEZzcAL6B30exhBeXsD07gvBXoqcfK6SdBgX7RQuU7tLDoC YRsORHD56hj+R5QQikb6nvEuKza39lXWBm1fXymgv1IP/JIasSLPWE+jdK8Wu5k2 7bWcUXeTAJdCB1OmipOzi+dw8g6GtEXL5HPCCfksUFCZCv4ZW85BwWaroyzmPiCV 4h5i+l+aaU1AmPZvBMXSmJ1Fl0537MSL58ivPeANPdu1BMk+bhHDz0eyHxpHd4tW jca2+p0+Vv1WH92qyn6s54TNvKTQJl0t1bDoXtuoiODqth4ZhhtTGUNz4y7Zawky co29q6gFYq3mD2xcwKsvMZqVLkaeQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegiedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttddunecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeeuueegudfgvdfgveeuvdeludelfeejhfeggfejtefggeekudekhfdvfeel jeehgfenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm vg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 987131080064; Tue, 23 Mar 2021 13:33:46 -0400 (EDT) Date: Tue, 23 Mar 2021 13:33:45 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes]. Message-ID: References: <20210323143840.22600-1-lle-bout@zaclys.net> <20210323143840.22600-2-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210323143840.22600-2-lle-bout@zaclys.net> Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: =?iso-8859-1?B?TOlv?= Le Bouter , 47342@debbugs.gnu.org, julien lepiller X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote: > Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, > CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, > CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351. > > * gnu/packages/xml.scm (java-xstream): Update to 1.4.16. > [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the > former made by upstream. Thanks for the patch! Pinging Julien... From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 17:18:45 2021 Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 21:18:45 +0000 Received: from localhost ([127.0.0.1]:33229 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOoQH-0001yb-99 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:45 -0400 Received: from lepiller.eu ([89.234.186.109]:41876) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOoQF-0001yS-Gq for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:44 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 122eb924; Tue, 23 Mar 2021 21:18:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:cc:from:message-id; s= dkim; bh=YWS+JJQJXveSqtNUGkPmECZ3KkANObQ0kGNQXJVwLXw=; b=ldrgkoV PDela2BYl4+YjC9hvUlODvHN7Xo03WdufEL+V+igis5+o09nyiyQrwTmMCEzILTH jNEmHZtw7yAK2IqGAl0t9BVYbVo7ObBBSYfc4HbytvvEgJV126I3/MieA/tOv0Fw tFk5+Pc3NSaglDwX1m89TuURefTSci1XOc0Uv3O+gvelR0OMAzJJgJMKyEfKW2LH iqI13is3NIDGveCBYHAwEUqaVX2vABuIeWbTt//nwAUmRhrA1GMAZzjc3qJDAHcu 2yzcvnfBGphZzWuBrpREexIDZH5Yg34rso3cAa25n65MzDRWPt7AQep2Fk9x7rUD duqrT/LfV7tM0yw== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 99364183 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 23 Mar 2021 21:18:41 +0000 (UTC) Date: Tue, 23 Mar 2021 13:42:48 -0400 User-Agent: K-9 Mail for Android In-Reply-To: References: <20210323143840.22600-1-lle-bout@zaclys.net> <20210323143840.22600-2-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4" Content-Transfer-Encoding: 7bit Subject: Re: bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes]. To: Leo Famulari From: Julien Lepiller Message-ID: X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" [...] Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message X-Debbugs-Envelope-To: 47342 Cc: =?ISO-8859-1?Q?L=E9o_Le_Bouter?= , 47342@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.1 (/) ------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable So, mxparser seems to be pretty easy to package, but it depends on xmlpull = v1=2E Unfortunately, it was developped at Extreme! Lab at Indiana Universit= y, but their website has recently been "deprecated" and redirects to the in= ternet archive=2E This is an issue as we have xmlpull v2 and xpp3 whose sources have also di= sappeared=2E Not sure what to do about them? I asked upstseam (xstream) for guidance on where to find the sources on ht= tps://github=2Ecom/x-stream/mxparser/issues/3=2E Once we have that information, I can take care of the xstream update=2E Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari a = =C3=A9crit : >On Tue, Mar 23, 2021 at 03:38:40PM +0100, L=C3=A9o Le Bouter via Bug repo= rts >for GNU Guix wrote: >> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, >> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, >> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351=2E >>=20 >> * gnu/packages/xml=2Escm (java-xstream): Update to 1=2E4=2E16=2E >> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a >fork of the >> former made by upstream=2E > >Thanks for the patch! > >Pinging Julien=2E=2E=2E ------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable So, mxparser seems to be pretty easy to package, b= ut it depends on xmlpull v1=2E Unfortunately, it was developped at Extreme!= Lab at Indiana University, but their website has recently been "deprecated= " and redirects to the internet archive=2E

This is an issue as we ha= ve xmlpull v2 and xpp3 whose sources have also disappeared=2E Not sure what= to do about them?

I asked upstseam (xstream) for guidance on where = to find the sources on https://github=2Ecom/x-stream/mxparser/issues/3=2E

On= ce we have that information, I can take care of the xstream update=2E
Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famula= ri <leo@famulari=2Ename> a =C3=A9crit :
On Tue, Mar 23, 2021 at 03:38:40PM +0100, L=C3=A9o L=
e Bouter via Bug reports for GNU Guix wrote:
Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343,=
 CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-202=
1-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351=2E

* g=
nu/packages/xml=2Escm (java-xstream): Update to 1=2E4=2E16=2E
[inputs]: =
Replace java-xpp3 with java-mxparser, the latter being a fork of the
for=
mer made by upstream=2E

Thanks for the patch!

Pi=
nging Julien=2E=2E=2E
------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 18:31:47 2021 Received: (at 47342-done) by debbugs.gnu.org; 23 Mar 2021 22:31:47 +0000 Received: from localhost ([127.0.0.1]:33313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOpYx-0005ul-1v for submit@debbugs.gnu.org; Tue, 23 Mar 2021 18:31:47 -0400 Received: from lepiller.eu ([89.234.186.109]:41888) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOpYu-0005ua-7I for 47342-done@debbugs.gnu.org; Tue, 23 Mar 2021 18:31:46 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id e093072d; Tue, 23 Mar 2021 22:31:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=dkim; bh=ByIejt2Cu3/A nG5VXoDJn/23GKFW8XgG6eQ21OQmIuI=; b=fGlD+iNPlHy8ldiAnas3x4UXqWQi nUn0QK/MHWVJVf7r90D+0khMPAi2F966ERVOq24LIM7lzuB8fsx1f28BTBIyv8vZ JchyJ23+3hncXgteJkUFDjCGrrNmvZOOEZNOic9xpInOKyzNHDo/jmXHDOJGiXYR 0z2ggFhxa3DnSGayfl8GuAxH/vR2uRA1Hv+75SAmF866ODRHSCcFt8SqDODqOn4x aI06Y96pDTa9fLB6sykfwCODydqzgR92vp5Q1scjBg/IMxc7Pfe9tcFfZnhFAmQI qa+71LFZbG4TSMqBL0iy0DjD81fYAwRp3LXg1dOAs+Xq+xGks0SUQp8vaA== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id b41949f6 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 23 Mar 2021 22:31:41 +0000 (UTC) Date: Tue, 23 Mar 2021 23:31:32 +0100 From: Julien Lepiller To: 47342-done@debbugs.gnu.org Subject: Re: bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351 Message-ID: <20210323233132.63d67c9b@tachikoma.lepiller.eu> In-Reply-To: <4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net> References: <4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 47342-done Cc: =?UTF-8?B?TMOpbw==?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le Tue, 23 Mar 2021 15:33:26 +0100, L=C3=A9o Le Bouter via Bug reports for GNU Guix a =C3=A9= crit : > Upstream has made a release: 1.4.16 - which fixes all the issues, > following is an unfinished patchset that fixes the issues, java- > mxparser package does not build and help from some more experienced > Java packagers is welcome to fix and push this patchset. Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to 8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master, with changes discussed on IRC. Thanks a lot for noticing it! From unknown Tue Aug 19 05:09:23 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 21 Apr 2021 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator