Debian Bug report logs - #611138
CVE-2010-4438

Package: glassfish; Maintainer for glassfish is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 25 Jan 2011 22:18:21 UTC

Severity: serious

Tags: moreinfo, security, squeeze-ignore

Done: "Thijs Kinkhorst" <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Tue, 25 Jan 2011 22:18:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 25 Jan 2011 22:18:24 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-4438
Date: Tue, 25 Jan 2011 23:02:18 +0100
Package: glassfish
Severity: grave
Tags: security

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 

Please get in touch with Oracle to check, what "unspecified
vulnerability" they fixed...

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Wed, 26 Jan 2011 18:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Damien Raude-Morvan" <drazzib@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 26 Jan 2011 18:51:08 GMT) Full text and rfc822 format available.

Message #10 received at 611138@bugs.debian.org (full text, mbox):

From: "Damien Raude-Morvan" <drazzib@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org
Subject: Re: Bug#611138: CVE-2010-4438
Date: Wed, 26 Jan 2011 19:46:32 +0100
[Message part 1 (text/plain, inline)]
Hi,

Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit :
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
> 
> Please get in touch with Oracle to check, what "unspecified
> vulnerability" they fixed...

From CVE abstract :
"
Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message 
Service (JMS)' sub-component that may allow a local attacker to have a partial 
affect on integrity and confidentiality and cause a denial of service. No 
further details have been provided. 
"

As we hardly build any real "Glassfish Server" but just some parts of API 
library from Java EE specifications.
FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and 
don't have any implementations of a JMS server.

So I don't think Debian package is affected by this issue, but we'll have to 
wait until Oracle/Glassfish team publish some source code to confirm ths.

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Damien Raude-Morvan <drazzib@debian.org> to control@bugs.debian.org. (Wed, 26 Jan 2011 19:18:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Wed, 26 Jan 2011 21:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 26 Jan 2011 21:36:05 GMT) Full text and rfc822 format available.

Message #17 received at 611138@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Damien Raude-Morvan <drazzib@debian.org>
Cc: 611138@bugs.debian.org
Subject: Re: Bug#611138: CVE-2010-4438
Date: Wed, 26 Jan 2011 22:34:14 +0100
On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote:
> Hi,
> 
> Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit :
> > See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
> > 
> > Please get in touch with Oracle to check, what "unspecified
> > vulnerability" they fixed...
> 
> From CVE abstract :
> "
> Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message 
> Service (JMS)' sub-component that may allow a local attacker to have a partial 
> affect on integrity and confidentiality and cause a denial of service. No 
> further details have been provided. 
> "
> 
> As we hardly build any real "Glassfish Server" but just some parts of API 
> library from Java EE specifications.
> FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and 
> don't have any implementations of a JMS server.
> 
> So I don't think Debian package is affected by this issue, but we'll have to 
> wait until Oracle/Glassfish team publish some source code to confirm ths.

Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't
aware that the Debian Glassfish package doesn't provide the full stack.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Wed, 26 Jan 2011 21:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 26 Jan 2011 21:45:03 GMT) Full text and rfc822 format available.

Message #22 received at 611138@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Mühlenhoff <jmm@inutil.org>, 611138@bugs.debian.org
Cc: Damien Raude-Morvan <drazzib@debian.org>
Subject: Re: Bug#611138: CVE-2010-4438
Date: Wed, 26 Jan 2011 21:42:24 +0000
user release.debian.org@packages.debian.org
usertag 611138 + squeeze-can-defer
tag 611138 + squeeze-ignore
thanks

On Wed, 2011-01-26 at 22:34 +0100, Moritz Mühlenhoff wrote:
> On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote:
> > So I don't think Debian package is affected by this issue, but we'll have to 
> > wait until Oracle/Glassfish team publish some source code to confirm ths.
> 
> Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't
> aware that the Debian Glassfish package doesn't provide the full stack.

In that case, this sounds like a fix could be deferred until after the
release, if it's required at all; tagging as not a blocker.

Regards,

Adam





Added tag(s) squeeze-ignore. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Wed, 26 Jan 2011 21:45:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Sun, 01 Jan 2012 18:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 01 Jan 2012 18:51:03 GMT) Full text and rfc822 format available.

Message #29 received at 611138@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Damien Raude-Morvan <drazzib@debian.org>, 611138@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#611138: CVE-2010-4438
Date: Sun, 1 Jan 2012 19:47:43 +0100
Hi,

On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote:

> So I don't think Debian package is affected by this issue, but we'll have to 
> wait until Oracle/Glassfish team publish some source code to confirm ths.
> 
Did that happen in the last year?

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Wed, 04 Jan 2012 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Damien Raude-Morvan <drazzib@drazzib.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 04 Jan 2012 20:15:03 GMT) Full text and rfc822 format available.

Message #34 received at 611138@bugs.debian.org (full text, mbox):

From: Damien Raude-Morvan <drazzib@drazzib.com>
To: Julien Cristau <jcristau@debian.org>
Cc: Damien Raude-Morvan <drazzib@debian.org>, 611138@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#611138: CVE-2010-4438
Date: Wed, 04 Jan 2012 21:12:31 +0100
On 01/01/2012 19:47, Julien Cristau wrote:
> Hi,

Hi Julien,

> On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote:
>
>> So I don't think Debian package is affected by this issue, but we'll have to
>> wait until Oracle/Glassfish team publish some source code to confirm ths.
>>
> Did that happen in the last year?

Sadly, no :/ I must admit that Oracle does not publish details of its 
fixes so it's hard to confirm firmly what's component is exactly impacted.

I'll try to revive my contact @Oracle to get some feedback on this issue 
(on future security issues).

Cheers,




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Sun, 13 May 2012 16:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 13 May 2012 16:57:04 GMT) Full text and rfc822 format available.

Message #39 received at 611138@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Damien Raude-Morvan <drazzib@drazzib.com>, 611138@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>, Damien Raude-Morvan <drazzib@debian.org>, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#611138: CVE-2010-4438
Date: Sun, 13 May 2012 17:54:38 +0100
On Wed, Jan 04, 2012 at 09:12:31PM +0100, Damien Raude-Morvan wrote:
>On 01/01/2012 19:47, Julien Cristau wrote:
>>Hi,
>
>Hi Julien,
>
>>On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote:
>>
>>>So I don't think Debian package is affected by this issue, but we'll have to
>>>wait until Oracle/Glassfish team publish some source code to confirm ths.
>>>
>>Did that happen in the last year?
>
>Sadly, no :/ I must admit that Oracle does not publish details of its
>fixes so it's hard to confirm firmly what's component is exactly
>impacted.
>
>I'll try to revive my contact @Oracle to get some feedback on this
>issue (on future security issues).

Hi,

Any news on this?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"This dress doesn't reverse." -- Alden Spiess





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Sun, 13 May 2012 22:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Damien Raude-Morvan" <drazzib@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 13 May 2012 22:15:03 GMT) Full text and rfc822 format available.

Message #44 received at 611138@bugs.debian.org (full text, mbox):

From: "Damien Raude-Morvan" <drazzib@debian.org>
To: Steve McIntyre <steve@einval.com>
Cc: Julien Cristau <jcristau@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org, 653964@bugs.debian.org
Subject: CVE-2010-4438 / CVE-2011-5035
Date: Mon, 14 May 2012 00:13:50 +0200
[Message part 1 (text/plain, inline)]
Hi all,

Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
> >Sadly, no :/ I must admit that Oracle does not publish details of its
> >fixes so it's hard to confirm firmly what's component is exactly
> >impacted.
> >
> >I'll try to revive my contact @Oracle to get some feedback on this
> >issue (on future security issues).
> 
> Hi,
> 
> Any news on this?

I'll just start by restating my initial comment on both issues :
-----
We don't build any real "Glassfish Server" but just some parts of API 
library used as Java EE specifications. As for any specification, this is just a 
collection of interfaces and don't have much more implementations than dumb or 
stub code.
-----

So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
packages. 

But I cannot be 100% sure since :
- Upstream bugtracker [1] doesn't contains ref to those security issues
- My Oracle contact (GlassFish community manager) only told me that 
"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
for paying customers). The fix is in the trunk and will be integrated in the 
3.1.2 release scheduled for later this quarter"

I don't think I'll do further investigation on those issues...
At least, there is one instructing thing : we have to think twice before 
integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
as from my point of view Glassfish Security is not handled as an open source 
should.

[1] http://java.net/jira/browse/GLASSFISH

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#611138; Package glassfish. (Mon, 14 May 2012 14:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 14 May 2012 14:54:03 GMT) Full text and rfc822 format available.

Message #49 received at 611138@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Damien Raude-Morvan <drazzib@debian.org>
Cc: Julien Cristau <jcristau@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org, 653964@bugs.debian.org
Subject: Re: CVE-2010-4438 / CVE-2011-5035
Date: Mon, 14 May 2012 15:50:30 +0100
On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
>Hi all,
>
>Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
>> >Sadly, no :/ I must admit that Oracle does not publish details of its
>> >fixes so it's hard to confirm firmly what's component is exactly
>> >impacted.
>> >
>> >I'll try to revive my contact @Oracle to get some feedback on this
>> >issue (on future security issues).
>> 
>> Hi,
>> 
>> Any news on this?
>
>I'll just start by restating my initial comment on both issues :
>-----
>We don't build any real "Glassfish Server" but just some parts of API 
>library used as Java EE specifications. As for any specification, this is just a 
>collection of interfaces and don't have much more implementations than dumb or 
>stub code.
>-----
>
>So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
>packages. 

OK, fair enough.

>But I cannot be 100% sure since :
>- Upstream bugtracker [1] doesn't contains ref to those security issues
>- My Oracle contact (GlassFish community manager) only told me that 
>"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
>for paying customers). The fix is in the trunk and will be integrated in the 
>3.1.2 release scheduled for later this quarter"
>
>I don't think I'll do further investigation on those issues...
>At least, there is one instructing thing : we have to think twice before 
>integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
>as from my point of view Glassfish Security is not handled as an open source 
>should.

Yes, I'd have to agree with that. :-(

If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
from serious?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss





Severity set to 'serious' from 'grave' Request was from Damien Raude-Morvan <drazzib@debian.org> to control@bugs.debian.org. (Mon, 14 May 2012 21:03:03 GMT) Full text and rfc822 format available.

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Sat, 02 Jun 2012 17:03:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 02 Jun 2012 17:03:12 GMT) Full text and rfc822 format available.

Message #56 received at 611138-done@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 611138-done@bugs.debian.org
Subject: not much left to do
Date: Sat, 2 Jun 2012 19:00:48 +0200
Hi all,

After reading and considering this bug, I don't see what value it adds to
keep it open. The issues have been reviewed, they most likely do not
affect Debian, and we have no realistic way to be absolutely sure of that,
and I don't see that changing anytime soon. I'm closing it.


Cheers,
Thijs





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Jul 2012 07:41:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:23:50 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.