Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1057315: tiles: CVE-2023-49735
138 views
Skip to first unread message
Salvatore Bonaccorso
Dec 3, 2023, 5:10:06 AM12/3/23
to
Source: tiles
Version: 3.0.7-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: a...@debian.org, ebo...@apache.org, car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for tiles.
CVE-2023-49735[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** The value set as the
| DefaultLocaleResolver.LOCALE_KEY attribute on the session was not
| validated while resolving XML definition files, leading to possible
| path traversal and eventually SSRF/XXE when passing user-controlled
| data to this key. Passing user-controlled data to this key may be
| relatively common, as it was also used like that to set the language
| in the 'tiles-test' application shipped with Tiles. This issue
| affects Apache Tiles from version 2 onwards. NOTE: This
| vulnerability only affects products that are no longer supported by
| the maintainer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The project is dead-upstream TTBOMK, so not sure if/what we can do at
all for this issue. Removal seems not possible as per:
carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
Will remove the following packages from unstable:
libtiles-java | 3.0.7-5 | all
libtiles-java-doc | 3.0.7-5 | all
tiles | 3.0.7-5 | source
Maintainer: Debian Java Maintainers <pkg-java-m...@lists.alioth.debian.org>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
# Broken Build-Depends:
libspring-java: libtiles-java (>= 3.0)
Dependency problem found.
carnil@respighi:~$
But maybe we can set it as "no-dsa", is it only used as build
dependency for libspring-java and not sensible outside?
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49735
https://www.cve.org/CVERecord?id=CVE-2023-49735
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 3.0.7-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: a...@debian.org, ebo...@apache.org, car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for tiles.
CVE-2023-49735[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** The value set as the
| DefaultLocaleResolver.LOCALE_KEY attribute on the session was not
| validated while resolving XML definition files, leading to possible
| path traversal and eventually SSRF/XXE when passing user-controlled
| data to this key. Passing user-controlled data to this key may be
| relatively common, as it was also used like that to set the language
| in the 'tiles-test' application shipped with Tiles. This issue
| affects Apache Tiles from version 2 onwards. NOTE: This
| vulnerability only affects products that are no longer supported by
| the maintainer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The project is dead-upstream TTBOMK, so not sure if/what we can do at
all for this issue. Removal seems not possible as per:
carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
Will remove the following packages from unstable:
libtiles-java | 3.0.7-5 | all
libtiles-java-doc | 3.0.7-5 | all
tiles | 3.0.7-5 | source
Maintainer: Debian Java Maintainers <pkg-java-m...@lists.alioth.debian.org>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
# Broken Build-Depends:
libspring-java: libtiles-java (>= 3.0)
Dependency problem found.
carnil@respighi:~$
But maybe we can set it as "no-dsa", is it only used as build
dependency for libspring-java and not sensible outside?
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49735
https://www.cve.org/CVERecord?id=CVE-2023-49735
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Moritz Muehlenhoff
Dec 3, 2023, 9:20:05 AM12/3/23
to
Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> The project is dead-upstream TTBOMK, so not sure if/what we can do at
> all for this issue. Removal seems not possible as per:
>
> carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
> Will remove the following packages from unstable:
>
> libtiles-java | 3.0.7-5 | all
> libtiles-java-doc | 3.0.7-5 | all
> tiles | 3.0.7-5 | source
>
> Maintainer: Debian Java Maintainers <pkg-java-m...@lists.alioth.debian.org>
>
> ------------------- Reason -------------------
>
> ----------------------------------------------
>
> Checking reverse dependencies...
> # Broken Build-Depends:
> libspring-java: libtiles-java (>= 3.0)
>
> Dependency problem found.
>
> carnil@respighi:~$
>
> But maybe we can set it as "no-dsa", is it only used as build
> dependency for libspring-java and not sensible outside?
Spring is already marked as unsupported, so we can simply extend that.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> The project is dead-upstream TTBOMK, so not sure if/what we can do at
> all for this issue. Removal seems not possible as per:
>
> carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
> Will remove the following packages from unstable:
>
> libtiles-java | 3.0.7-5 | all
> libtiles-java-doc | 3.0.7-5 | all
> tiles | 3.0.7-5 | source
>
> Maintainer: Debian Java Maintainers <pkg-java-m...@lists.alioth.debian.org>
>
> ------------------- Reason -------------------
>
> ----------------------------------------------
>
> Checking reverse dependencies...
> # Broken Build-Depends:
> libspring-java: libtiles-java (>= 3.0)
>
> Dependency problem found.
>
> carnil@respighi:~$
>
> But maybe we can set it as "no-dsa", is it only used as build
> dependency for libspring-java and not sensible outside?
Cheers,
Moritz
Markus Koschany
Dec 3, 2023, 9:40:05 AM12/3/23
to
Am Sonntag, dem 03.12.2023 um 15:10 +0100 schrieb Moritz Muehlenhoff:
> > But maybe we can set it as "no-dsa", is it only used as build
> > dependency for libspring-java and not sensible outside?
>
> Spring is already marked as unsupported, so we can simply extend that.
+1 This is sensible in this case.
> > But maybe we can set it as "no-dsa", is it only used as build
> > dependency for libspring-java and not sensible outside?
>
> Spring is already marked as unsupported, so we can simply extend that.
Salvatore Bonaccorso
Dec 3, 2023, 3:10:04 PM12/3/23
to
Control: clone -1 -2 -3
Control: retitle -2 tiles: Add README.Debian.security to document support status
Control: reassign -3 src:debian-security-support
Control: retitle -3 Mark tiles as only supported for building applications shipped in Debian
Hi,
Ok your both reasoning make sense.
So adding a README.Debian.security on a next upload to clarify the
situation for only beeing supported for building applications shipped
in Debian.
And then as well a debian-security-support entry.
Cloning and reassigning accordingly two bugs.
Regards,
Salvatore
Control: retitle -2 tiles: Add README.Debian.security to document support status
Control: reassign -3 src:debian-security-support
Control: retitle -3 Mark tiles as only supported for building applications shipped in Debian
Hi,
So adding a README.Debian.security on a next upload to clarify the
situation for only beeing supported for building applications shipped
in Debian.
And then as well a debian-security-support entry.
Cloning and reassigning accordingly two bugs.
Regards,
Salvatore
Holger Levsen
Dec 4, 2023, 4:20:06 AM12/4/23
to
Hi Salvatore,
thanks for your continous work on Debian security!
On Sun, Dec 03, 2023 at 08:03:05PM +0000, Debian Bug Tracking System wrote:
> > clone -1 -2 -3
> Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> Bug 1057315 cloned as bugs 1057342-1057343
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
I’ve said it once, and I’ll say it a thousand times: If the penalty for
breaking a law is a fine, then that law only exists for the poor.
thanks for your continous work on Debian security!
On Sun, Dec 03, 2023 at 08:03:05PM +0000, Debian Bug Tracking System wrote:
> > clone -1 -2 -3
> Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> Bug 1057315 cloned as bugs 1057342-1057343
> > retitle -2 tiles: Add README.Debian.security to document support status
> > reassign -3 src:debian-security-support
> > retitle -3 Mark tiles as only supported for building applications shipped in Debian
ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
I’ve said it once, and I’ll say it a thousand times: If the penalty for
breaking a law is a fine, then that law only exists for the poor.
Moritz Muehlenhoff
Dec 4, 2023, 5:20:05 AM12/4/23
to
On Mon, Dec 04, 2023 at 09:13:41AM +0000, Holger Levsen wrote:
> Hi Salvatore,
>
> thanks for your continous work on Debian security!
>
> On Sun, Dec 03, 2023 at 08:03:05PM +0000, Debian Bug Tracking System wrote:
> > > clone -1 -2 -3
> > Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> > Bug 1057315 cloned as bugs 1057342-1057343
> > > retitle -2 tiles: Add README.Debian.security to document support status
> > > reassign -3 src:debian-security-support
> > > retitle -3 Mark tiles as only supported for building applications shipped in Debian
>
> ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?
The note to EOL libspring-java is only in Bookworm, so this is only needed for
> Hi Salvatore,
>
> thanks for your continous work on Debian security!
>
> On Sun, Dec 03, 2023 at 08:03:05PM +0000, Debian Bug Tracking System wrote:
> > > clone -1 -2 -3
> > Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> > Bug 1057315 cloned as bugs 1057342-1057343
> > > retitle -2 tiles: Add README.Debian.security to document support status
> > > reassign -3 src:debian-security-support
> > > retitle -3 Mark tiles as only supported for building applications shipped in Debian
>
> ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?
Bookworm as well.
For Buster Spring is marked as EOLed, so it should probably just use the same,
I'll someone from Debian LTS chime in.
Cheers,
Moritz
Holger Levsen
Dec 23, 2023, 7:40:04 AM12/23/23
to
hi,
so I'm adding src:tiles to security-support-limited.(13|12|11|10),
as no removal is planned (and it's dead upstream etc).
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
If you upload your address book to "the cloud", I don't want to be in it.
so I'm adding src:tiles to security-support-limited.(13|12|11|10),
as no removal is planned (and it's dead upstream etc).
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
0 new messages