Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Markus Koschany apo at debian.org
Thu Jan 11 14:11:02 UTC 2018


Am 08.01.2018 um 20:31 schrieb Salvatore Bonaccorso:
[...]
> Ok, thanks a lot for double checking. Again, I'm not sure how pressing
> the issue is, I'm defering a DSA/no-DSA decision to one of my
> teammates. Privilege escalation rings some bells obviously.
> 
> For older versions than 4.3.3, am I right that then the issue is only
> introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not
> exposing accessible-made members", which is in 4.3.2.Final~3 or is it
> more just uncovered there?

I have just uploaded a fix for CVE-2017-7536 to unstable. I think we
don't need a DSA for that because libhibernate-validator-java is only
needed as a build-dependency for libspring-java in Stretch. I intend to
request a stretch-pu instead.

I agree with your assessment and I also believe Wheezy and Jessie are
not affected because the vulnerable code was introduced in the 4.3
branch. The fix improves commit ab21ca98fd7814bd014e7d8e03de8640f2529352
by taking the security manager into account.

Regards,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180111/42ee6b57/attachment.sig>


More information about the pkg-java-maintainers mailing list