Debian Bug report logs - #990671
libjdom2-java: CVE-2021-33813

version graph

Package: src:libjdom2-java; Maintainer for src:libjdom2-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Affects: libjdom2-java-doc

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 4 Jul 2021 12:36:02 UTC

Severity: serious

Tags: bullseye-ignore, fixed-upstream, security, upstream

Found in versions libjdom2-java/2.0.6-1, libjdom2-java/2.0.6-2

Fixed in versions libjdom2-java/2.0.6-1+deb9u1, libjdom2-java/2.0.6-2.1

Done: Utkarsh Gupta <utkarsh@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/hunterhacker/jdom/pull/188

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#990671; Package src:libjdom2-java. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libjdom2-java: CVE-2021-33813
Date: Sun, 04 Jul 2021 14:33:05 +0200
Source: libjdom2-java
Version: 2.0.6-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/hunterhacker/jdom/pull/188
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:libjdom1-java 1.1.3-2
Control: found -1 2.0.6-1
Control: found -2 1.1.3-2

Hi,

The following vulnerability was published for libjdom2-java.

CVE-2021-33813[0]:
| An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
| cause a denial of service via a crafted HTTP request.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33813
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33813
[1] https://github.com/hunterhacker/jdom/pull/188
[2] https://alephsecurity.com/vulns/aleph-2021003

Regards,
Salvatore

Bug 990671 cloned as bug 990672 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Marked as found in versions libjdom2-java/2.0.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 08 Jul 2021 17:21:11 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#990671; Package src:libjdom2-java. (Wed, 14 Jul 2021 09:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 14 Jul 2021 09:30:03 GMT) (full text, mbox, link).

Message #16 received at 990671@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>
To: Debian Bug Tracking System <990671@bugs.debian.org>
Subject: Re: libjdom2-java: CVE-2021-33813
Date: Wed, 14 Jul 2021 11:26:39 +0200
Followup-For: Bug #990671
Control: fixed -1 2.0.6-1+deb9u1
Control: severity -1 serious

Fixing this in stetch-security only causes version skew on upgrades to
buster:

 libjdom2-java | 2.0.6-1        | stretch          | source, all
 libjdom2-java | 2.0.6-1        | buster           | source, all
 libjdom2-java | 2.0.6-1+deb9u1 | stretch-security | source, all
 libjdom2-java | 2.0.6-2        | bullseye         | source, all
 libjdom2-java | 2.0.6-2        | sid              | source, all

Andreas

Marked as fixed in versions libjdom2-java/2.0.6-1+deb9u1. Request was from Andreas Beckmann <anbe@debian.org> to 990671-submit@bugs.debian.org. (Wed, 14 Jul 2021 09:30:03 GMT) (full text, mbox, link).

Severity set to 'serious' from 'important' Request was from Andreas Beckmann <anbe@debian.org> to 990671-submit@bugs.debian.org. (Wed, 14 Jul 2021 09:30:03 GMT) (full text, mbox, link).

Added indication that 990671 affects libjdom2-java-doc Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 15 Jul 2021 14:03:04 GMT) (full text, mbox, link).

Added tag(s) bullseye-ignore. Request was from Sebastian Ramacher <sramacher@debian.org> to control@bugs.debian.org. (Mon, 19 Jul 2021 21:09:03 GMT) (full text, mbox, link).

Reply sent to Utkarsh Gupta <utkarsh@debian.org>:
You have taken responsibility. (Tue, 03 Aug 2021 17:21:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 03 Aug 2021 17:21:03 GMT) (full text, mbox, link).

Message #29 received at 990671-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 990671-close@bugs.debian.org
Subject: Bug#990671: fixed in libjdom2-java 2.0.6-2.1
Date: Tue, 03 Aug 2021 17:18:26 +0000
Source: libjdom2-java
Source-Version: 2.0.6-2.1
Done: Utkarsh Gupta <utkarsh@debian.org>

We believe that the bug you reported is fixed in the latest version of
libjdom2-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990671@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Utkarsh Gupta <utkarsh@debian.org> (supplier of updated libjdom2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 03 Aug 2021 22:20:07 +0530
Source: libjdom2-java
Architecture: source
Version: 2.0.6-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Closes: 990671
Changes:
 libjdom2-java (2.0.6-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * Add patch to fix setFeature bug and add test case.
     (Fixes: CVE-2021-33813) (Closes: #990671)
Checksums-Sha1:
 9154053334378552c2c745b713b2079023035bd9 2129 libjdom2-java_2.0.6-2.1.dsc
 aa4a9041c330c0a823e0c78e2921bbdae37e7622 9108 libjdom2-java_2.0.6-2.1.debian.tar.xz
 b039c23d1333f89a0ae388301cb1193c0a0ca49c 11049 libjdom2-java_2.0.6-2.1_amd64.buildinfo
Checksums-Sha256:
 705ae507035fc8212c348c7b51c4ad0e639c6ecd060f42ed09e718080909f6ba 2129 libjdom2-java_2.0.6-2.1.dsc
 6006d9873831977036bc9a357703abd90a17c8154adaff7818ca4128d1e59a6d 9108 libjdom2-java_2.0.6-2.1.debian.tar.xz
 ff84c1bee631e676d8ddfc0126f8b65b994fb4db7661695b39b09e4efd3804c8 11049 libjdom2-java_2.0.6-2.1_amd64.buildinfo
Files:
 4e5c6c8b12478655f935cee4a1ddac1d 2129 java optional libjdom2-java_2.0.6-2.1.dsc
 d2a03ad604b6bf27a3be2667fea89102 9108 java optional libjdom2-java_2.0.6-2.1.debian.tar.xz
 6da79ef6397fee52f4c011853408e0bd 11049 java optional libjdom2-java_2.0.6-2.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmEJdmoTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlqkJD/9RXIj3w2Y4XBl5Mw35grw+vokwThGm
A1Fz4qVzxVn7slnvSl940uXez5BemN48zJ7jJsJiekbDp61TRnMC9BRKDrmxAg3X
z6Wi7zP7i4kiT5WpHng63vESRNXEaFohXXqIIIzEHwlWp8iwuvruHxM8oWlsK3A3
n6PsSPuBP3IlHuc91Smb1PXQG0uxNfx+H/9TmSHiqmR2kuMEoKX/EeatnnnUeUDR
C0DsbD8uAsFpLfb0FQxu1nMqhDsxFTbs0dFbbP20uHuOQW/nHeiaNpEdV5IK7Z7Y
g3yNFy8XsOi2RkmjP64QN/fE60ud7s+EtZk4gw1dDezgTEHnA83qpzWQeFNZleBw
tTGEVyxzMQ04F/5oWujS29oKUOc9PsA9bnD7qM2ERKoGRds3CAHGy937ipAm6m2l
HEfN5zRjVgS72+yE55aCjly8cA7kQaxOg1c8fScb36F8zgWJKGya56QwppwsOLfO
azn0+my0aebtEeMsAApFAKxQ7TJ1W3FAM96H4WiJSDPHxhUwt5IosniwECMtA+M8
CoL4UpetVtvl503IQr42EBN3Rqq0+lO9yKDMpCdFB3+EGnC6X3ubDEV8594qwKnm
DwyeN6EZlvZwRv7TZXfaOFKqNo3g2DGqot1mm1CzX9rIRKRecyBTElqc/jNukP2H
bBwFQFGT5sX3lw==
=2Xi9
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 30 Sep 2021 07:27:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:11:32 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.