From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id bCedKVdbWmAwXAAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 21:19:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id UPE+JVdbWmBrPwAA1q6Kng (envelope-from ) for ; Tue, 23 Mar 2021 21:19:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CD2C4DA20 for ; Tue, 23 Mar 2021 22:19:18 +0100 (CET) Received: from localhost ([::1]:40824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOoQn-00046u-Um for larch@yhetil.org; Tue, 23 Mar 2021 17:19:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38860) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOoQY-0003zd-U7 for bug-guix@gnu.org; Tue, 23 Mar 2021 17:19:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49916) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lOoQX-0002kj-Ne for bug-guix@gnu.org; Tue, 23 Mar 2021 17:19:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lOoQX-0001z6-KK for bug-guix@gnu.org; Tue, 23 Mar 2021 17:19:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47342: [PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes]. Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 23 Mar 2021 21:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47342 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Leo Famulari Received: via spool by 47342-submit@debbugs.gnu.org id=B47342.16165343257605 (code B ref 47342); Tue, 23 Mar 2021 21:19:01 +0000 Received: (at 47342) by debbugs.gnu.org; 23 Mar 2021 21:18:45 +0000 Received: from localhost ([127.0.0.1]:33229 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOoQH-0001yb-99 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:45 -0400 Received: from lepiller.eu ([89.234.186.109]:41876) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOoQF-0001yS-Gq for 47342@debbugs.gnu.org; Tue, 23 Mar 2021 17:18:44 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 122eb924; Tue, 23 Mar 2021 21:18:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:cc:from:message-id; s= dkim; bh=YWS+JJQJXveSqtNUGkPmECZ3KkANObQ0kGNQXJVwLXw=; b=ldrgkoV PDela2BYl4+YjC9hvUlODvHN7Xo03WdufEL+V+igis5+o09nyiyQrwTmMCEzILTH jNEmHZtw7yAK2IqGAl0t9BVYbVo7ObBBSYfc4HbytvvEgJV126I3/MieA/tOv0Fw tFk5+Pc3NSaglDwX1m89TuURefTSci1XOc0Uv3O+gvelR0OMAzJJgJMKyEfKW2LH iqI13is3NIDGveCBYHAwEUqaVX2vABuIeWbTt//nwAUmRhrA1GMAZzjc3qJDAHcu 2yzcvnfBGphZzWuBrpREexIDZH5Yg34rso3cAa25n65MzDRWPt7AQep2Fk9x7rUD duqrT/LfV7tM0yw== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 99364183 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 23 Mar 2021 21:18:41 +0000 (UTC) Date: Tue, 23 Mar 2021 13:42:48 -0400 User-Agent: K-9 Mail for Android In-Reply-To: References: <20210323143840.22600-1-lle-bout@zaclys.net> <20210323143840.22600-2-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4" Content-Transfer-Encoding: 7bit From: Julien Lepiller Message-ID: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47342@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616534359; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=YWS+JJQJXveSqtNUGkPmECZ3KkANObQ0kGNQXJVwLXw=; b=jH326C5aKgijkUCzKKPfWn5D/c97Il7dFRFnZ5Q6YGRgSOTBc07X30+k8VAoc5mrOndZbc TDjZe+Rfh0G+LINaVWNimaWcvY5fMjo9/rH0AwOE2FR6MXgTMqt57/0TgK/GwbzTLhP/MO Ikm3G3MuezR7IEHc3K4KVSXsTyOK1mjS3X13tmvZIKmZgqAzn4IgiwPgbFaCrawnypAOI/ DSORhZnMzxFid5I9PmWw+OWGE3NHDOn+gaatMNm6D/l5kZ5mDyKSc9I4YF1YHD+nN7dqND Sk+EhCUSagMEi1Rxl4uiya2O6wPKf/mXqQI4J0pIVYkq2gHcVadHqObAZpaZtQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616534359; a=rsa-sha256; cv=none; b=MK33bepZvjdhtBBpTb0BVpgcLCzeywNUmmtqtuB1cKD9D5prhFsSlJlB9+9z+9nwgf7Jxq unmzAVz/n3SySgOGKx7eFhsN5J/t8H7Kur69j79Theuvaef5L3NVXmx0mN1ELifj7elKZn UsiVQIqr/K1zrS2SqK0xbk5qrzRsFCGD3CwPNM+3tFckExQD28mY9R4pxFnOc2B0Nxa7Ni 3hXihjlcWBVcB99pJOz+u30n8uzD7p8z5r45fG4dUSh7QwzLvf9I5xx57BeADGSoucyE54 9Fqsl59DKJt20/GoGBiibLSnt8cUqcARslphOtkV0tNiRh6s7pLSIaznQSg1Zw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b="ldrgkoV "; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.32 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b="ldrgkoV "; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: CD2C4DA20 X-Spam-Score: -1.32 X-Migadu-Scanner: scn0.migadu.com X-TUID: tetZVy27pu42 ------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable So, mxparser seems to be pretty easy to package, but it depends on xmlpull = v1=2E Unfortunately, it was developped at Extreme! Lab at Indiana Universit= y, but their website has recently been "deprecated" and redirects to the in= ternet archive=2E This is an issue as we have xmlpull v2 and xpp3 whose sources have also di= sappeared=2E Not sure what to do about them? I asked upstseam (xstream) for guidance on where to find the sources on ht= tps://github=2Ecom/x-stream/mxparser/issues/3=2E Once we have that information, I can take care of the xstream update=2E Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari a = =C3=A9crit : >On Tue, Mar 23, 2021 at 03:38:40PM +0100, L=C3=A9o Le Bouter via Bug repo= rts >for GNU Guix wrote: >> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, >> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, >> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351=2E >>=20 >> * gnu/packages/xml=2Escm (java-xstream): Update to 1=2E4=2E16=2E >> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a >fork of the >> former made by upstream=2E > >Thanks for the patch! > >Pinging Julien=2E=2E=2E ------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable So, mxparser seems to be pretty easy to package, b= ut it depends on xmlpull v1=2E Unfortunately, it was developped at Extreme!= Lab at Indiana University, but their website has recently been "deprecated= " and redirects to the internet archive=2E

This is an issue as we ha= ve xmlpull v2 and xpp3 whose sources have also disappeared=2E Not sure what= to do about them?

I asked upstseam (xstream) for guidance on where = to find the sources on https://github=2Ecom/x-stream/mxparser/issues/3=2E

On= ce we have that information, I can take care of the xstream update=2E
Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famula= ri <leo@famulari=2Ename> a =C3=A9crit :
On Tue, Mar 23, 2021 at 03:38:40PM +0100, L=C3=A9o L=
e Bouter via Bug reports for GNU Guix wrote:
Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343,=
 CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-202=
1-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351=2E

* g=
nu/packages/xml=2Escm (java-xstream): Update to 1=2E4=2E16=2E
[inputs]: =
Replace java-xpp3 with java-mxparser, the latter being a fork of the
for=
mer made by upstream=2E

Thanks for the patch!

Pi=
nging Julien=2E=2E=2E
------C5MTFQI5J4QPWNBXQ7SO7JWK7RERF4--