Bug#949089: libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response
Markus Koschany
apo at debian.org
Fri Jan 17 00:04:10 GMT 2020
Hi,
Am 16.01.20 um 21:27 schrieb Salvatore Bonaccorso:
> Source: libxmlrpc3-java
> Version: 3.1.3-9
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> The following vulnerability was published for libxmlrpc3-java.
>
> CVE-2019-17570[0]:
> | Deserialization of server-side exception from faultCause in XMLRPC
> | error response
>
> That said, should libxmlrpc3-java rather be removed from unstable, and
> not included in bullseye?
[...]
It looks like starjava-topcat is the only package that build-depends on
libxmlrpc3-java at the moment (need to check that again). I think the
issue itself can be fixed by the proposed Red Hat patch, making the use
of some parts of the vulnerable method conditional on a set property.
Since Apache xml-rpc is EOL it makes sense to remove it from Debian
though. I will file a bug report for starjava-topcat and then let's see
how it goes.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20200117/90d5278b/attachment.sig>
More information about the pkg-java-maintainers
mailing list