Debian Bug report logs - #990672
libjdom1-java: CVE-2021-33813

version graph

Package: src:libjdom1-java; Maintainer for src:libjdom1-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 4 Jul 2021 12:36:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version libjdom1-java/1.1.3-2

Fixed in version libjdom1-java/1.1.3-2.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/hunterhacker/jdom/pull/188

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#990671; Package src:libjdom2-java. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libjdom2-java: CVE-2021-33813
Date: Sun, 04 Jul 2021 14:33:05 +0200
Source: libjdom2-java
Version: 2.0.6-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/hunterhacker/jdom/pull/188
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:libjdom1-java 1.1.3-2
Control: found -1 2.0.6-1
Control: found -2 1.1.3-2

Hi,

The following vulnerability was published for libjdom2-java.

CVE-2021-33813[0]:
| An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
| cause a denial of service via a crafted HTTP request.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33813
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33813
[1] https://github.com/hunterhacker/jdom/pull/188
[2] https://alephsecurity.com/vulns/aleph-2021003

Regards,
Salvatore

Bug 990671 cloned as bug 990672 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:03 GMT) (full text, mbox, link).

Bug reassigned from package 'src:libjdom2-java' to 'src:libjdom1-java'. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:04 GMT) (full text, mbox, link).

No longer marked as found in versions libjdom2-java/2.0.6-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:04 GMT) (full text, mbox, link).

Marked as found in versions libjdom1-java/1.1.3-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sun, 04 Jul 2021 12:36:05 GMT) (full text, mbox, link).

Changed Bug title to 'libjdom1-java: CVE-2021-33813' from 'libjdom2-java: CVE-2021-33813'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 04 Jul 2021 12:42:02 GMT) (full text, mbox, link).

Bug 990672 cloned as bug 990673 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 04 Jul 2021 12:42:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 08 Jul 2021 17:51:01 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 03 Aug 2021 09:21:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 03 Aug 2021 09:21:05 GMT) (full text, mbox, link).

Message #24 received at 990672-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 990672-done@bugs.debian.org
Subject: Accepted libjdom1-java 1.1.3-2.1 (source) into unstable
Date: Tue, 3 Aug 2021 11:15:57 +0200
Source: libjdom1-java
Source-Version: 1.1.3-2.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Jul 2021 14:14:56 +0530
Source: libjdom1-java
Architecture: source
Version: 1.1.3-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Changes:
 libjdom1-java (1.1.3-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * Add patch to fix setFeature bug and add test case.
     (Fixes: CVE-2021-33813)
Checksums-Sha1:
 605a6e9795790631b328a069702eb213e02781be 2238 libjdom1-java_1.1.3-2.1.dsc
 f3571d1c199f20db82129ac448efd89590313e4b 332793 libjdom1-java_1.1.3.orig.tar.gz
 3be941d0bf70ee3a90ced51af8a08704d38d217f 7832 libjdom1-java_1.1.3-2.1.debian.tar.xz
 7ac00844c2b945d3c13c1ca637e62b6730e55a29 6071 libjdom1-java_1.1.3-2.1_source.buildinfo
Checksums-Sha256:
 22c8c24ccf6d3428e107d301b8dd46d57431708da4756246695abf813d9f1d6e 2238 libjdom1-java_1.1.3-2.1.dsc
 1be1cf58a959b0feff7e560f305d808d1b36ee1961e3a304188d34622497e02e 332793 libjdom1-java_1.1.3.orig.tar.gz
 eb03f0c1e3c1e9abf01bfd25b7a2668094eae10412e52ebdeb5c346387f73338 7832 libjdom1-java_1.1.3-2.1.debian.tar.xz
 d49745d14f4c39a9091b5980f52e679527decf043d2cb028f500917532756a56 6071 libjdom1-java_1.1.3-2.1_source.buildinfo
Files:
 c7e9e5bc40d1eb4472c5dd5f22e3153e 2238 java optional libjdom1-java_1.1.3-2.1.dsc
 6e7c6d71cba824c3fdc4509e2183b346 332793 java optional libjdom1-java_1.1.3.orig.tar.gz
 dbe2c5255914cb464b259cc89cd75d0d 7832 java optional libjdom1-java_1.1.3-2.1.debian.tar.xz
 810ab9508660dbafc0a37af1897dd334 6071 java optional libjdom1-java_1.1.3-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmEIExwTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLluRvD/9uPxD0fUPmy8d2lrSJFMR274ZOBghZ
D2ZrZqaiDrvctvvj4u5yaVmKK1hxmWxigAb82tmjrtf+pzyqYbIIjUaYESzcIDrF
mSdh14L6HDQLz1r2nnlnu/ZL2O2vBJBTR4nAsF2PvJ5p0Y3s/HQvKtpI3T6pQZTo
7KO0dYwvEq811L+u4+sJlWbaJCrKAGrMs+I8zqyFu3vzUWNcPHyEmid1MpTBUyMy
Z9Ku46mW0OwOAQ7hHHyzGxyllEjWYrWuiloQJEiV0jhPwU+/qLaNCMsFRLuMzYhT
bGZVBs/IcbWX52H4FGgJVWVZDnZa2Fpp60AZyZTEnznce3ZrzMmJGqoVrJ1eAh9N
z28b9f3UmpLcENiBZoxBvytFkiXCarRtTwNW4rFFNXnTR2613U+Q65Bv6Tv1n4bu
1fVNHWVqDXnpc508kIKQrbl7mi7kpQXXCBVrMxZJCiIiaNJQJ6MFELThFRWIfCuX
Aorf+Q2J/IE2I9rIiZGLdLcwtbNTHCjr8kg6bgr4SkzfeNINaAbdZKEqjnRBYumQ
4S8weB/gF/YAVZH2uXt0U1FuIvFHTzMQTW/AVif0L91elw4F1EKLG62kUBYCYLgQ
GBEVWwHetq71a402CePRoUMwfz3Pdewy5j0iX5RXOeGdxVMRsdrpRDKcgzEFmjxp
4TJDkD2coC6O4g==
=MRdN
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Sep 2021 07:25:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:11:24 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.