Debian Bug report logs - #611130
CVE-2010-2087

Package: mojarra; Maintainer for mojarra is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 25 Jan 2011 20:45:02 UTC

Severity: important

Tags: moreinfo, security, squeeze-ignore, wontfix

Done: Henri Salo <henri@nerv.fi>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Tue, 25 Jan 2011 20:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 25 Jan 2011 20:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-2087
Date: Tue, 25 Jan 2011 21:43:36 +0100
Package: mojarra
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 

Please get in touch with upstream, whether this has been addressed.

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Wed, 26 Jan 2011 00:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 26 Jan 2011 00:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 611130@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 611130@bugs.debian.org
Subject: Re: Bug#611130: CVE-2010-2087
Date: Wed, 26 Jan 2011 01:15:00 +0100
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 611130 squeeze-can-defer
tag 611130 squeeze-ignore
kthxbye

On Tue, Jan 25, 2011 at 21:43:36 +0100, Moritz Muehlenhoff wrote:

> Package: mojarra
> Severity: grave
> Tags: security
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 
> 
> Please get in touch with upstream, whether this has been addressed.
> 
Not a blocker, can be fixed post release.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) squeeze-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 26 Jan 2011 00:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Thu, 27 Jan 2011 14:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 27 Jan 2011 14:27:03 GMT) Full text and rfc822 format available.

Message #17 received at 611130@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 611130@bugs.debian.org
Subject: Re: CVE-2010-2087
Date: Thu, 27 Jan 2011 09:53:10 -0430
On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 
> Please get in touch with upstream, whether this has been addressed.

I just notified upstream to take a look at this
and I'm waiting for their reply.

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Mon, 25 Jul 2011 12:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 25 Jul 2011 12:06:04 GMT) Full text and rfc822 format available.

Message #22 received at 611130@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Miguel Landaeta <miguel@miguel.cc>
Cc: 611130@bugs.debian.org
Subject: Re: CVE-2010-2087
Date: Mon, 25 Jul 2011 14:05:01 +0200
On Thu, Jan 27, 2011 at 09:53:10AM -0430, Miguel Landaeta wrote:
> On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 
> > Please get in touch with upstream, whether this has been addressed.
> 
> I just notified upstream to take a look at this
> and I'm waiting for their reply.

What's the result?

Cheers,
        Moritz 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Wed, 24 Aug 2011 00:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 24 Aug 2011 00:45:03 GMT) Full text and rfc822 format available.

Message #27 received at 611130@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: 611130@bugs.debian.org
Subject: Re: CVE-2010-2087
Date: Tue, 23 Aug 2011 20:12:51 -0430
[Message part 1 (text/plain, inline)]
On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote:
> What's the result?
> 

Upstream is totally unresponsive about this issue.

I have reviewed changelog of subsequent releases and this doesn't
seem to be fixed.

I have lost almost all motivation to try to fix this, but I'll
give another try to check again with upstream to see what they
have to say.

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Wed, 24 Aug 2011 16:36:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 24 Aug 2011 16:36:09 GMT) Full text and rfc822 format available.

Message #32 received at 611130@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Miguel Landaeta <miguel@miguel.cc>
Cc: 611130@bugs.debian.org
Subject: Re: CVE-2010-2087
Date: Wed, 24 Aug 2011 18:33:39 +0200
On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote:
> On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote:
> > What's the result?
> > 
> 
> Upstream is totally unresponsive about this issue.
> 
> I have reviewed changelog of subsequent releases and this doesn't
> seem to be fixed.
> 
> I have lost almost all motivation to try to fix this, but I'll
> give another try to check again with upstream to see what they
> have to say.

This reminded me of http://pwnies.com/archive/2010/winners/:

--------------
Pwnie for Best Server-Side Bug

(..)

Credit: Meder Kydyraliev

(..)

Meder gets bonus points for having to track down developers on IRC 
to get the vulnerability fixed after receiving no response from 
security@struts.apache.org.
--------------

Maybe you should try IRC as well...

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Sun, 02 Oct 2011 22:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 02 Oct 2011 22:27:03 GMT) Full text and rfc822 format available.

Message #37 received at 611130@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 611130@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: CVE-2010-2087
Date: Sun, 2 Oct 2011 17:53:48 -0430
[Message part 1 (text/plain, inline)]
#tag 611130 + idontgiveadamn
tag 611130 + moreinfo
kthxbye

Upstream doesn't answer any request about this bug.

I sent emails, I posted in their discussion forum and even joined their
irc channel to ask a couple of question about this bug. I didn't receive
any answer, I can say I was completely ignored.

There is no info at Mitre website and AFAIK this issue is not fixed in
any other free software distribution.

I don't have time neither interest on this, good luck to anybody
interested in fixing this bug. Be aware of uncooperative upstream.

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Miguel Landaeta <miguel@miguel.cc> to control@bugs.debian.org. (Sun, 02 Oct 2011 22:27:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Sun, 13 May 2012 16:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 13 May 2012 16:57:02 GMT) Full text and rfc822 format available.

Message #44 received at 611130@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Miguel Landaeta <miguel@miguel.cc>, 611130@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>
Subject: Re: Bug#611130: CVE-2010-2087
Date: Sun, 13 May 2012 17:52:05 +0100
On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
>#tag 611130 + idontgiveadamn
>tag 611130 + moreinfo
>kthxbye
>
>Upstream doesn't answer any request about this bug.
>
>I sent emails, I posted in their discussion forum and even joined their
>irc channel to ask a couple of question about this bug. I didn't receive
>any answer, I can say I was completely ignored.
>
>There is no info at Mitre website and AFAIK this issue is not fixed in
>any other free software distribution.
>
>I don't have time neither interest on this, good luck to anybody
>interested in fixing this bug. Be aware of uncooperative upstream.

Given this, this package looks like a prime candidate for removal from
the archive to be honest. Thoughts?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Who needs computer imagery when you've got Brian Blessed?





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Sun, 13 May 2012 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 13 May 2012 19:27:03 GMT) Full text and rfc822 format available.

Message #49 received at 611130@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Steve McIntyre <steve@einval.com>
Cc: Miguel Landaeta <miguel@miguel.cc>, 611130@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>
Subject: Re: Bug#611130: CVE-2010-2087
Date: Sun, 13 May 2012 21:23:45 +0200
On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote:
> On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
> >#tag 611130 + idontgiveadamn
> >tag 611130 + moreinfo
> >kthxbye
> >
> >Upstream doesn't answer any request about this bug.
> >
> >I sent emails, I posted in their discussion forum and even joined their
> >irc channel to ask a couple of question about this bug. I didn't receive
> >any answer, I can say I was completely ignored.
> >
> >There is no info at Mitre website and AFAIK this issue is not fixed in
> >any other free software distribution.
> >
> >I don't have time neither interest on this, good luck to anybody
> >interested in fixing this bug. Be aware of uncooperative upstream.
> 
> Given this, this package looks like a prime candidate for removal from
> the archive to be honest. Thoughts?

I concur, but libspring build-depends on it, something which needs to
be addressed somehow.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Mon, 14 May 2012 14:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 14 May 2012 14:33:03 GMT) Full text and rfc822 format available.

Message #54 received at 611130@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Miguel Landaeta <miguel@miguel.cc>, 611130@bugs.debian.org
Subject: Re: Bug#611130: CVE-2010-2087
Date: Mon, 14 May 2012 15:29:09 +0100
On Sun, May 13, 2012 at 09:23:45PM +0200, Moritz Mühlenhoff wrote:
>On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote:
>> On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote:
>> >#tag 611130 + idontgiveadamn
>> >tag 611130 + moreinfo
>> >kthxbye
>> >
>> >Upstream doesn't answer any request about this bug.
>> >
>> >I sent emails, I posted in their discussion forum and even joined their
>> >irc channel to ask a couple of question about this bug. I didn't receive
>> >any answer, I can say I was completely ignored.
>> >
>> >There is no info at Mitre website and AFAIK this issue is not fixed in
>> >any other free software distribution.
>> >
>> >I don't have time neither interest on this, good luck to anybody
>> >interested in fixing this bug. Be aware of uncooperative upstream.
>> 
>> Given this, this package looks like a prime candidate for removal from
>> the archive to be honest. Thoughts?
>
>I concur, but libspring build-depends on it, something which needs to
>be addressed somehow.

Ick. :-(

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611130; Package mojarra. (Sun, 17 Jun 2012 16:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Landaeta <miguel@miguel.cc>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 17 Jun 2012 16:15:03 GMT) Full text and rfc822 format available.

Message #59 received at 611130@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 611130@bugs.debian.org
Subject: #611130/CVE-2010-2087 is unlikely to be fixed
Date: Sun, 17 Jun 2012 11:49:47 -0430
[Message part 1 (text/plain, inline)]
tags 611130 + wontfix
severity 611130 important
thanks

Hi,

I was checking again what is the status of this bug and I found a statement
in RedHat bugtracker posted by David Jorm:

Statement:

This flaw affects applications using unencrypted client-side view states on Mojarra as shipped with JBoss Communications Platform 1.2.11 and 5.1.1, JBoss Enterprise Application Platform 4.2.0, 4.3.0 and 5.1.1, JBoss Enterprise BRMS Platform 5.1.0, JBoss Enterprise Portal Platform 4.3 and 5.1.1, JBoss Enterprise SOA Platform 4.2.0, 4.3.0 and 5.1.0, JBoss Enterprise Web Platform 5.1.1 and JBoss Web Framework Kit 1.1.0 and 1.2.0. Unencrypted client-side view states are fundamentally insecure and should not be used. Developers are advised to always enable encryption when creating JavaServer Faces (JSF) applications using client-side view state. When using the Mojarra implementation of JSF, this is achieved by adding the following snippet to the application's web.xml:
<context-param>
   <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
   <param-value>client</param-value>
</context-param>
<env-entry>
   <env-entry-name>ClientStateSavingPassword</env-entry-name>
   <env-entry-type>java.lang.String</env-entry-type>
   <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
</env-entry>


So, IMO this looks like it is not going to be fixed anytime soon if ever.

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]

Added tag(s) wontfix. Request was from Miguel Landaeta <miguel@miguel.cc> to control@bugs.debian.org. (Sun, 17 Jun 2012 16:15:10 GMT) Full text and rfc822 format available.

Severity set to 'important' from 'grave' Request was from Miguel Landaeta <miguel@miguel.cc> to control@bugs.debian.org. (Sun, 17 Jun 2012 16:15:10 GMT) Full text and rfc822 format available.

Reply sent to Henri Salo <henri@nerv.fi>:
You have taken responsibility. (Mon, 31 Mar 2014 13:33:14 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 31 Mar 2014 13:33:15 GMT) Full text and rfc822 format available.

Message #68 received at 611130-close@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 611130-close@bugs.debian.org
Subject: closing
Date: Mon, 31 Mar 2014 16:28:14 +0300
[Message part 1 (text/plain, inline)]
Closing as wontfix. In case you reopen this bug please add more details about
the issue. More information is needed. Also from security tracker "Affected
feature is fundamentally insecure"

---
Henri Salo
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:59:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.