|
|
Log in / Subscribe / Register

Debian alert DLA-2078-1 (libxmlrpc3-java)



From:
              Markus Koschany <apo@debian.org> 


To:
              debian-lts-announce@lists.debian.org 


Subject:
              [SECURITY] [DLA 2078-1] libxmlrpc3-java security update 


Date:
              Thu, 30 Jan 2020 17:31:17 +0100


Message-ID:
              <ff240ebd-9dd9-920c-dfc1-565bf69fbeb1@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libxmlrpc3-java
Version        : 3.1.3-7+deb8u1
CVE ID         : CVE-2019-17570
Debian Bug     : 949089

An untrusted deserialization was found in the
org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache
XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target
a XML-RPC client causing it to execute arbitrary code.

Clients that expect to get server-side exceptions need to set the
enabledForExceptions property to true in order to process serialized
exception messages again.

For Debian 8 "Jessie", this problem has been fixed in version
3.1.3-7+deb8u1.

We recommend that you upgrade your libxmlrpc3-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl4zBNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSJuRAAwy4O0ra3IfTvMnZJp7tjpLsR5LOAf9Br5b7+/pBbQvFjP1dO4xxWGInV
TPvX6fbheP7RbqYk9K74JEzxeIEXEAf1i6rzV2+vkcH6IoN379N9CRUyDfSz7A0I
c6abZ1/FVmAT3F2Y9onJrCBkmKAr5MQq0/aufBXl/tpDBQWs92nF/tPOSZaRQjPC
YShDYpdH1+lJZxfn1+rjCSoQpArXkeHnA5s0kHxhzr3FqFfdv+0Xze+W3FkOK9yZ
Q2efsoq2CRrJLJqZ6E6V9FggpSvbbvqN5VpQYU7L/9jxtRUewt6KB8uL4Yy76OJS
+7xuZFkRRjhviyC60yEo+Q+If7F9OHvXpieeKLhtwk679nVrXUkZTQqgp9kxmxWR
LRZovwmCLsZbDpepmEJFYOtDobvLYfuRg8JSovvVu5VfnGJKJLpKmJs9pBzO+o6L
83KxYHzTYIQlALOMjm+5FDPM1qdaWgd9580trcFl57g0e0nIYMSI0O/71fIVyd/d
zz1IVgfTmYRYHdMSXMAC00BSVlgNTHZYWenoNoNSuTU0X0l0H7Q46ydv8iSSn0QL
tH3QoBU7vL0Hn/2OF8VWPqjLqNayrjxDMgEuyckbp5rNuFWcoLoBjAMy1cG73XN4
ZemKvCmWpvgVFtme45Jdw4E5Kaf5JFSpax0cCysOaWH/2dvM4R4=
=uPeY
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds