GNU bug report logs - #47342
java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Tue, 23 Mar 2021 14:34:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Julien Lepiller <julien <at> lepiller.eu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#47342: closed (java-xstream <at> 1.4.15 is vulnerable to
 CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
 CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
 CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351)
Date: Tue, 23 Mar 2021 22:32:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 23 Mar 2021 23:31:32 +0100
with message-id <20210323233132.63d67c9b <at> tachikoma.lepiller.eu>
and subject line Re: bug#47342: java-xstream <at> 1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351
has caused the debbugs.gnu.org bug report #47342,
regarding java-xstream <at> 1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
47342: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47342
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: java-xstream <at> 1.4.15 is vulnerable to CVE-2021-21341,
 CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345,
 CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349,
 CVE-2021-21350 and CVE-2021-21351
Date: Tue, 23 Mar 2021 15:33:26 +0100

[Message part 3 (text/plain, inline)]
Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Julien Lepiller <julien <at> lepiller.eu>
To: 47342-done <at> debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47342: java-xstream <at> 1.4.15 is vulnerable to CVE-2021-21341,
 CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345,
 CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349,
 CVE-2021-21350 and CVE-2021-21351
Date: Tue, 23 Mar 2021 23:31:32 +0100

Le Tue, 23 Mar 2021 15:33:26 +0100,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> a écrit :

> Upstream has made a release: 1.4.16 - which fixes all the issues,
> following is an unfinished patchset that fixes the issues, java-
> mxparser package does not build and help from some more experienced
> Java packagers is welcome to fix and push this patchset.

Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to
8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,
with changes discussed on IRC.

Thanks a lot for noticing it!
This bug report was last modified 4 years and 121 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.