Hi,
Am Donnerstag, dem 23.09.2021 um 19:40 +0200 schrieb Anton Gladky:
> Hi Markus,
>
> I have applied your patch and the pipelines are passed [1]. So, at least
> nothing breaks from the "build side of view".
thanks to all who have contributed to this thread.
I have just uploaded a new securit
Hi Markus,
I have applied your patch and the pipelines are passed [1]. So, at least
nothing breaks from the "build side of view".
Yes, I took this package, but uf your are working on it, feel free to
reclaim it.
[1]
https://salsa.debian.org/lts-team/packages/libxstream-java/-/pipelines/292916
B
On Thu, Sep 23, 2021 at 05:03:46PM +0200, Markus Koschany wrote:
>
> You are right that all applications will break which rely on the
> deserialization feature of xstream and were not using a whitelist before.
> Everything else that just writes a POJO to XML should be unaffected. In
> general
> w
Hi,
Am Mittwoch, dem 22.09.2021 um 20:57 +0200 schrieb Sylvain Beucler:
[...]
> >
> > I am pretty surprised because I had concluded that all reverse-dependencies
> > would break, due to not white-listing any app-specific class:
> > https://lists.debian.org/debian-lts/2021/06/msg00040.html
> >
>
Hi,
On Wed, Sep 22, 2021 at 04:29:39PM +0200, Sylvain Beucler wrote:
> On 22/09/2021 15:37, Markus Koschany wrote:
> > so far I have not found any regressions in Debian packages which depend on
> > libxstream-java. I propose to switch to the whitelist in all suites because
> > this is the only rea
Hi,
On 22/09/2021 15:37, Markus Koschany wrote:
so far I have not found any regressions in Debian packages which depend on
libxstream-java. I propose to switch to the whitelist in all suites because
this is the only reasonable way to secure XStream. I have prepared an update
for Stretch. Anton,
Hi all,
so far I have not found any regressions in Debian packages which depend on
libxstream-java. I propose to switch to the whitelist in all suites because
this is the only reasonable way to secure XStream. I have prepared an update
for Stretch. Anton, could you take a look at it because I saw
Hi,
Am Freitag, dem 27.08.2021 um 14:03 +0200 schrieb Sylvain Beucler:
> Hi,
>
> I wrote an analysis in June
> https://lists.debian.org/debian-lts/2021/06/msg00024.html
> https://lists.debian.org/debian-lts/2021/06/msg00040.html
>
> I believe we should postpone these CVEs with the goal of tracki
Hi,
I wrote an analysis in June
https://lists.debian.org/debian-lts/2021/06/msg00024.html
https://lists.debian.org/debian-lts/2021/06/msg00040.html
I believe we should postpone these CVEs with the goal of tracking how
/upstream/ reverse dependencies are adapting to the removal of the
blacklist
Hi fellow LTS contributors
I have helped Thorsten (this weeks front-deskl) to triage the java packages.
The problem in the libxstream-java is that there are a lot of ways
arbitrary code can be executed. The upstream fix is to make the recommended
way to use the library the default. The recommenda
10 matches
Mail list logo
