From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 10:33:36 2021 Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 14:33:36 +0000 Received: from localhost ([127.0.0.1]:60917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOi6C-0006jA-17 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:36 -0400 Received: from lists.gnu.org ([209.51.188.17]:55080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOi68-0006iy-E8 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 10:33:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47924) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOi68-0006xo-3N for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:32 -0400 Received: from mail.zaclys.net ([178.33.93.72]:51161) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOi65-0002IX-Dv for bug-guix@gnu.org; Tue, 23 Mar 2021 10:33:31 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NEXQPf034955 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 23 Mar 2021 15:33:27 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NEXQPf034955 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616510007; bh=/GoS773fvVeOaR4gjsjKcQcdWz6NxlsT3IPCVgQUBXE=; h=Subject:From:To:Date:From; b=cy///fg06GDr2Zla0WFun9oSQeoQrNXMEYU4UuUWfvFTdwNNC+nExMaU5QSUWibrK OwnK0s/nmW7y4rqEkKNiBqpB32v+CPQSm+TybxVFrNJAotbLFahZuI1j/rWL6ew65f WHl3Q6hOrISveG0eH4c36B2AoZtfI91FYp7pXcaE= Message-ID: <4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net> Subject: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Tue, 23 Mar 2021 15:33:26 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-hscTnfjBcH+mdd0Wd+Sd" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Upstream has made a release: 1.4.16 - which fixes all the issues, following is an unfinished patchset that fixes the issues, java- mxparser package does not build and help from some more experienced J [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-hscTnfjBcH+mdd0Wd+Sd Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Upstream has made a release: 1.4.16 - which fixes all the issues, following is an unfinished patchset that fixes the issues, java- mxparser package does not build and help from some more experienced Java packagers is welcome to fix and push this patchset. --=-hscTnfjBcH+mdd0Wd+Sd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBZ/DYACgkQRaix6GvN EKajtw//bUSSuk7gRJEqw37hETabwiag6UIltEmX+Dwid9H+C/7GQPEh2zZMmCU5 wmrwgd2Fnlb/HyKTPqv+9QNkyI/lUdYW8TTOxXnHtczbBlBgBnTBygG4TfRp/a3O bdgWEEM/sRes3vofrRL6NjTRz274oe6WB+hOQolJknCDFdUo9DSlnbiOAMK/DCDy UraHF5rhLSbifnrKa9AkBeHhiUZ/BuziGTEUM/whEU008vvvQmS6na14tEnJaD43 0d8r0yTcRU60TZtIMpxp/uL2Op7nDCCCLMn6Up2YmYyPnEklRl/sTcXO8vpaoWJv C3dSZ4bvDTNaUevfdhdLvKOinvM6WWwSjwMRhtjdf7NtXY1OE/hB+YpUTDNHGewi +2ciFH9Xk+E0yYo2SdiLvdJoU1Vx2Tg993WyhDWKy/C9uoaeIWrinSw9cV6DXEDP 2SW0MWQRrFK9ChAwBh7Wdt+JRenEUHVqbcM20QzgF+sRF1+rNttdRi8cl5JIr52D KUmWyU1ySrEyZdnW6VR7qUhoXVB+RBMWXchwFxLyas3FM4gIvR4OpY8CtvDSLGU+ HGvoyfr5BrBY0ziXf5aFdKTO6aLUXRqiuBtnINPtQdvkzlWdDZbLkCxEwnr7zNPy EJQT/3/K4rjg80bkKO20xq8cFhOP7aoG3r8vsKY/XzFi/sM44e8= =KXxi -----END PGP SIGNATURE----- --=-hscTnfjBcH+mdd0Wd+Sd--